Q-Free MaxTime, Missing Authorization Vulnerability, CVE-2025-26374 Medium

By /

How the CVE Works:

CVE-2025-26374 is a vulnerability classified under CWE-862, “Missing Authorization,” found in the `maxprofile/users/routes.lua` file of Q-Free MaxTime versions 2.11.0 and earlier. This flaw allows an authenticated attacker with low privileges to enumerate users by sending crafted HTTP requests to the users endpoint. The lack of proper authorization checks in the `routes.lua` script enables the attacker to bypass intended restrictions and access sensitive user information. This vulnerability is particularly concerning in multi-user environments where user enumeration can lead to further exploitation, such as targeted attacks or privilege escalation.

DailyCVE Form:

Platform: Q-Free MaxTime
Version: <= 2.11.0
Vulnerability: Missing Authorization
Severity: Medium
Date: 02/12/2025

What Undercode Say:

Exploitation:

  1. Crafting HTTP Requests: Attackers can use tools like `curl` or `Postman` to send crafted HTTP requests to the `/users` endpoint. 
    curl -X GET http://<target-ip>/maxprofile/users -H "Authorization: Bearer <low-privilege-token>"
  2. User Enumeration: The response may include sensitive user data, such as usernames or IDs, which can be used for further attacks.

Protection:

  1. Patch Application: Upgrade to a version of Q-Free MaxTime beyond 2.11.0 if a patch is released.
  2. Authorization Checks: Implement proper authorization checks in the `routes.lua` file to ensure only authorized users can access sensitive endpoints. 
    if not is_authorizeduser then
return { status = 403, message = "Forbidden" }
end
  3. Input Validation: Validate and sanitize all incoming HTTP requests to prevent crafted payloads.
  4. Network Segmentation: Restrict access to the MaxTime application to trusted IPs or networks.

Analytics:

  • CVSS Score: 6.5 Medium
  • Vector: CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Exploitability: Low privilege required, network-based attack.

Tools:

  • Nmap: Scan for open ports and services. 
    nmap -sV <target-ip>
  • Metasploit: Potential module for exploitation if developed. 
    use auxiliary/scanner/http/maxprofile_enum

References:

  • [NVD Entry]https://nvd.nist.gov/vuln/detail/CVE-2025-26374
  • [Q-Free MaxTime Advisory]https://www.q-free.com/security-advisories
  • [CWE-862 Details]https://cwe.mitre.org/data/definitions/862.html

Code Example for Mitigation:

-- Example of adding authorization check in routes.lua
local function is_authorizeduser
return user.role == "admin" -- Replace with actual authorization logic
end
app:get"/users", functionreq, res
if not is_authorizedreq.user then
return res:status403:json{ message = "Forbidden" }
end
-- Proceed with user data retrieval
end

By following these steps, organizations can mitigate the risk posed by CVE-2025-26374 and protect their systems from unauthorized user enumeration.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26374
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top