A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
Credits
Diego Giubertoni of Nozomi Networks found this bug during a security research activity.
