Andrea Palanca

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined (affected versions not specified) **Description** A low privileged remote attacker can obtain the root password because sensitive information is not properly removed before it is stored or transferred. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Time Machine (affected versions not specified) **Description** A Stored HTML Injection issue exists in the Time Machine Snapshot Diff functionality because of inadequate validation of network traffic data. An attacker who does not need to be authenticated can send crafted network packets at specific times to inject HTML tags into asset attributes across two snapshots. To successfully exploit this, a user must utilize the Time Machine Snapshot Diff feature on the targeted snapshots and perform specific GUI actions, which will then render the injected HTML in their browser. This can lead to phishing and open redirect attacks. While full Cross-Site Scripting (XSS) exploitation is prevented by input validation and Content Security Policy, the injected HTML can still pose a risk. The complexity of exploitation is high due to the multiple conditions that must be met. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Import Arc (affected versions not specified) **Description** A path traversal issue exists in the Import Arc data archive functionality because of inadequate input file validation. An authenticated user with limited privileges can potentially write arbitrary files to arbitrary paths by uploading a specially crafted Arc data archive. This could lead to alterations in the device configuration and/or affect its availability. The vulnerability allows writing arbitrary files in arbitrary paths. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alert functionality (affected versions not specified) **Description** A SQL Injection issue exists due to inadequate input validation. An authenticated user with limited privileges can execute arbitrary SQL statements, potentially leading to unauthorized data exposure, database structure and content alteration, and/or service disruption. The vulnerability resides in the Alert functionality and involves improper validation of an input parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Smart Polling (affected versions not specified) **Description** A SQL Injection issue exists in the Smart Polling functionality because of inadequate input validation. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the database management system (DBMS) used by the web application, which could lead to the disclosure of unauthorized data. The vulnerability is related to improper validation of an input parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2025-40888 **Description** A SQL Injection issue exists in the CLI functionality because of inadequate input validation. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements on the database management system used by the web application, potentially leading to unauthorized data disclosure. The vulnerability allows execution of SQL statements via an improper validation of an input parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2025-3718 **Description** A client-side path traversal issue exists in the web management interface front-end because of inadequate input validation. An authenticated user with limited privileges can create a malicious URL. Visiting this URL by an authenticated victim can result in a Cross-Site Scripting (XSS) attack. The vulnerability involves a missing validation of an input parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Time Machine (affected versions not specified) **Description** A path traversal issue exists in the Time Machine functionality because of inadequate input validation of two parameters. An authenticated user with limited privileges can potentially modify files within the /data folder and/or disrupt their availability by sending a specially crafted request. The issue allows for unauthorized file manipulation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to 2025-3719 **Description** An access control issue exists in the Command Line Interface (CLI) functionality. A specific access restriction is not properly enforced for users with limited privileges. This allows an authenticated user with limited privileges to execute administrative CLI commands. Successful exploitation can lead to alterations in the device configuration and/or impact the device’s availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alert functionality (affected versions not specified) **Description** A SQL Injection issue exists due to inadequate input validation of a parameter within the Alert functionality. An authenticated user with limited privileges can execute arbitrary SELECT SQL statements against the database management system, potentially leading to unauthorized data disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to missing authentication for a critical function, allowing an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests. This is due to a missing authentication check in the maxprofile/guest-mode/routes.lua file. Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/guest-mode/routes.lua file to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to a missing authentication for a critical function in the maxprofile/accounts/routes.lua file. This allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests. Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/accounts/routes.lua file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to a missing authentication for a critical function in the maxprofile/menu/routes.lua file. This allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests. Recommendations: For versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/menu/routes.lua file to prevent unauthorized edits to user group permissions.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions less than or equal to 2.11.0 Description: A weak authentication issue in the PIN authentication mechanism allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests. This issue affects Q-Free MaxTime, enabling attackers to potentially gain unauthorized access. Recommendations: For Q-Free MaxTime versions less than or equal to 2.11.0, update to a version greater than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the PIN authentication mechanism to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions less than or equal to 2.11.0 Description: The issue is related to the use of a hard-coded cryptographic key in the JWT signing process. This allows an unauthenticated remote attacker to bypass authentication by sending crafted HTTP requests. Recommendations: For Q-Free MaxTime versions less than or equal to 2.11.0, update to a version greater than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the JWT signing process until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Q-Free MaxTime versions less than or equal to 2.11.0 **Description** A "Observable Response Discrepancy" in the login page allows an unauthenticated remote attacker to enumerate valid usernames via crafted HTTP requests. This issue is related to the login functionality, where differences in response can reveal whether a username is valid or not. **Recommendations** For Q-Free MaxTime versions less than or equal to 2.11.0, update to a version greater than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the login page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Q-Free MaxTime version 2.11.0 and earlier **Description** A CWE-346 "Origin Validation Error" in the CORS configuration allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability via crafted URLs or HTTP requests. **Recommendations** For Q-Free MaxTime version 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the CORS configuration to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions prior to 2.11.0 Description: A missing authentication issue for a critical function in maxtime/handleRoute.lua allows an unauthenticated remote attacker to affect device confidentiality, integrity, or availability via crafted HTTP requests. Recommendations: For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `handleRoute.lua` function until a patch is available. Avoid using the vulnerable function to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to missing authentication for a critical function, allowing an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests. This is due to a problem in the maxprofile/accounts/routes.lua file. Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/accounts/routes.lua file until a patch is available.

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions prior to 2.11.0 Description: The issue is related to an improper neutralization of special elements used in an SQL command, also known as SQL injection. This occurs in the maxprofile/menu/model.lua file, specifically at the editUserGroupMenu endpoint. An authenticated remote attacker can exploit this to execute arbitrary SQL commands via crafted HTTP requests. Recommendations: For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the editUserGroupMenu endpoint until a patch is available. Avoid using the vulnerable maxprofile/menu/model.lua file, specifically the editUserGroupMenu endpoint, until the issue is resolved.