[Update 08/07/2025] Multiple vulnerabilities in Quiter Gateway by Quiter
Posted date 30/06/2025
Identificador
INCIBE-2025-0349
Importance
5 - Critical
Affected Resources
Quiter Gateway (Java WAR on Apache Tomcat), versions below 4.7.0.
Description
INCIBE has coordinated the publication of 11 vulnerabilities: 7 of critical severity and 4 of medium severity, affecting Quiter's Quiter Gateway, a complete software solution for the management of car dealerships and workshops. The vulnerabilities have been discovered by David Carrión Poza.
These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-40711 through CVE-2025-40717: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40718: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
- CVE-2025-40719 through CVE-2025-40721: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
[Update 08/07/2025]
Quiter has released versions that fix the 11 CVEs listed in the advisory:
- QuiterGatewayWeb 4.7.0 (fe350748cfd14ba3f966c80d0d140254375ec23a);
- QMSCliente 1.0.15 (f19b69fb8dbec57d1c372f4631cb029328144e98);
- QISClient 2.0.1-SNAPSHOT (455c037d22e87178703c96f9d98a05fd46dbad41);
Quiter has applied the fix version to all affected customers.
The fix for the reported vulnerabilities has been verified by an external auditor (Bullhost).
Detail
- SQL injection vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40711: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40712: id_concesion parameter in /<Client>FacturaE/DescargarFactura.
- CVE-2025-40713: campo parameter in /<Client>FacturaE/BusquedasFacturasSesion.
- CVE-2025-40714: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
- CVE-2025-40715: mensaje parameter in /QISClient/api/v1/sucesospaginas.
- CVE-2025-40716: suceso.contenido parameter in /QMSCliente/Sucesos.action.
- CVE-2025-40717: pagina.filter.categoria parameter in /QuiterGatewayWeb/api/v1/sucesospagina.
- CVE-2025-40718: Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
- Reflected Cross-site Scripting (XSS) vulnerabilities in versions prior to 4.7.0 of Quiter Gateway by Quiter. These vulnerabilities allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40719: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40720: campo parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40721: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
References list
Etiquetas