[Update 08/07/2025] Multiple vulnerabilities in Quiter Gateway by Quiter

Posted date 30/06/2025

Identificador

INCIBE-2025-0349

Importance

5 - Critical

Affected Resources

Quiter Gateway (Java WAR on Apache Tomcat), versions below 4.7.0.

Description

INCIBE has coordinated the publication of 11 vulnerabilities: 7 of critical severity and 4 of medium severity, affecting Quiter's Quiter Gateway, a complete software solution for the management of car dealerships and workshops. The vulnerabilities have been discovered by David Carrión Poza.

These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

CVE-2025-40711 through CVE-2025-40717: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
CVE-2025-40718: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
CVE-2025-40719 through CVE-2025-40721: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79

Solution

[Update 08/07/2025]

Quiter has released versions that fix the 11 CVEs listed in the advisory:

QuiterGatewayWeb 4.7.0 (fe350748cfd14ba3f966c80d0d140254375ec23a);
QMSCliente 1.0.15 (f19b69fb8dbec57d1c372f4631cb029328144e98);
QISClient 2.0.1-SNAPSHOT (455c037d22e87178703c96f9d98a05fd46dbad41);

Quiter has applied the fix version to all affected customers.

The fix for the reported vulnerabilities has been verified by an external auditor (Bullhost).

Detail

SQL injection vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40711: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40712: id_concesion parameter in /<Client>FacturaE/DescargarFactura.
- CVE-2025-40713: campo parameter in /<Client>FacturaE/BusquedasFacturasSesion.
- CVE-2025-40714: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
- CVE-2025-40715: mensaje parameter in /QISClient/api/v1/sucesospaginas.
- CVE-2025-40716: suceso.contenido parameter in /QMSCliente/Sucesos.action.
- CVE-2025-40717: pagina.filter.categoria parameter in /QuiterGatewayWeb/api/v1/sucesospagina.
CVE-2025-40718: Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
Reflected Cross-site Scripting (XSS) vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40719: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40720: campo parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40721: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.

References list

Manufacturer's website

Etiquetas