Primary

Context

Q-Free MaxTime SQL Injection Vulnerability in User Menu Management

Vulnerability

A SQL injection vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. The issue resides in the 'editUserMenu' endpoint of 'maxprofile/menu/model.lua'. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands by sending crafted HTTP requests.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of SQL commands, allowing attackers to exfiltrate, modify, or delete database information.

Remediation

No official patch is available from the vendor. As a temporary measure, it is recommended to restrict and monitor network access to the management web application on devices running Q-Free MaxTime versions through 2.11.0.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Q-Free MaxTime SQL Injection Vulnerability in User Menu Management

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating