[Update 08/07/2025] Multiple vulnerabilities in Quiter Gateway by Quiter

Posted date 30/06/2025
Identificador
INCIBE-2025-0349
Importance
5 - Critical
Affected Resources

Quiter Gateway (Java WAR on Apache Tomcat), versions below 4.7.0.

Description

INCIBE has coordinated the publication of 11 vulnerabilities: 7 of critical severity and 4 of medium severity, affecting Quiter's Quiter Gateway, a complete software solution for the management of car dealerships and workshops. The vulnerabilities have been discovered by David Carrión Poza.

These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40711 through CVE-2025-40717: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-40718: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
  • CVE-2025-40719 through CVE-2025-40721: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
Detail
  • SQL injection vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40711: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40712: id_concesion parameter in /<Client>FacturaE/DescargarFactura.
    • CVE-2025-40713: campo parameter in /<Client>FacturaE/BusquedasFacturasSesion.
    • CVE-2025-40714: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
    • CVE-2025-40715: mensaje parameter in /QISClient/api/v1/sucesospaginas.
    • CVE-2025-40716: suceso.contenido parameter in /QMSCliente/Sucesos.action.
    • CVE-2025-40717: pagina.filter.categoria parameter in /QuiterGatewayWeb/api/v1/sucesospagina.
  • CVE-2025-40718: Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
  • Reflected Cross-site Scripting (XSS) vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40719: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40720: campo parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40721: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
References list