CVE-2025-26369

CVE-2025-26369

Título es
CVE-2025-26369

Mié, 12/02/2025 – 14:15

Tipo
CWE-862

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-26369

Descripción en
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.

12/02/2025
12/02/2025
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
8.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369

    • Enviar en el boletín
    Off

    CVE-2025-26377

    CVE-2025-26377

    Título es
    CVE-2025-26377

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26377

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377

    • Enviar en el boletín
    Off

    CVE-2025-26376

    CVE-2025-26376

    Título es
    CVE-2025-26376

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26376

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26376

    • Enviar en el boletín
    Off

    CVE-2025-26375

    CVE-2025-26375

    Título es
    CVE-2025-26375

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26375

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375

    • Enviar en el boletín
    Off

    CVE-2025-26374

    CVE-2025-26374

    Título es
    CVE-2025-26374

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26374

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26374

    • Enviar en el boletín
    Off

    CVE-2025-26373

    CVE-2025-26373

    Título es
    CVE-2025-26373

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26373

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26373

    • Enviar en el boletín
    Off

    CVE-2025-26372

    CVE-2025-26372

    Título es
    CVE-2025-26372

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26372

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26372

    • Enviar en el boletín
    Off

    CVE-2025-26371

    CVE-2025-26371

    Título es
    CVE-2025-26371

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26371

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371

    • Enviar en el boletín
    Off

    CVE-2025-26378

    CVE-2025-26378

    Título es
    CVE-2025-26378

    Mié, 12/02/2025 – 14:15

    Tipo
    CWE-862

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26378

    Descripción en
    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378

    • Enviar en el boletín
    Off

    CVE-2024-10322

    CVE-2024-10322

    Título es
    CVE-2024-10322

    Mié, 12/02/2025 – 13:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-10322

    Descripción en
    The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

    12/02/2025
    12/02/2025
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/changeset/3231744/

  • https://plugins.trac.wordpress.org/changeset/3231744/brizy/trunk/admin/svg/main.php

  • Brizy – Page Builder



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/3b2ef7c3-4610-4e8b-ab27-2d6cbdbed097?source=cve

    • Enviar en el boletín
    Off