CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-26359 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26347 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26345 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26344 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26342 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26341 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-26339 |
Description: A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-25200 |
Description: Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.
CVSS: CRITICAL (9.2) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-25182 |
Description: Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the application is accessible not through the ALB itself. This vulnerability may also allow for server-side request forgery which may lead to code execution or further privileges escalations when using the AWS metadata URL. This scenario assumes that Stroom must be configured to use ALB Authentication integration and the application is network accessible. The vulnerability has been fixed in versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|
|
CVE-2025-1100 |
Description: A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 13th, 2025 (4 months ago)
|