CVE-2025-1102

CVE-2025-1102 is a CWE-346 Origin Validation Error in the CORS configuration of Q-Free MaxTime versions less than or equal to 2.11.0. Published on 2025-02-12, this vulnerability enables an unauthenticated remote attacker to impact the device's confidentiality, integrity, or availability through crafted URLs or HTTP requests. The issue stems from improper origin validation, with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), indicating moderate severity primarily due to high confidentiality impact requiring local access and user interaction.

An unauthenticated remote attacker can exploit this vulnerability by tricking a user into interacting with maliciously crafted URLs or HTTP requests. Although the CVSS vector specifies local access (AV:L), the description notes remote exploitation potential, likely involving social engineering to induce user interaction (UI:R) with low complexity (AC:L) and no privileges required (PR:N). Successful exploitation allows the attacker to compromise device confidentiality, with no direct impact on integrity or availability.

Mitigation details are available in the advisory published by Nozomi Networks Labs at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-1102. Security practitioners should consult this reference for patching instructions, workarounds, or configuration changes specific to Q-Free MaxTime deployments.