Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in QuiterWeb AutoWeb by Quiter

Posted date 30/06/2025
Identificador
INCIBE-2025-0349
Importance
5 - Critical
Affected Resources

QuiterWeb AutoWeb, 7.0 version.

Description

INCIBE has coordinated the publication of 11 vulnerabilities: 7 of critical severity and 4 of medium severity, affecting Quiter's QuiterWeb AutoWeb, a complete software solution for the management of car dealerships and workshops. The vulnerabilities have been discovered by David Carrión Poza.

These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2025-40711 through CVE-2025-40717: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-40718: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
  • CVE-2025-40719 through CVE-2025-40721: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

There is no reported solution at this time.

Detail
  • SQL injection vulnerabilities in QuiterWeb AutoWeb v7.0 from Quiter. These vulnerabilities allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40711: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40712: id_concesion parameter in /<Client>FacturaE/DescargarFactura.
    • CVE-2025-40713: campo parameter in /<Client>FacturaE/BusquedasFacturasSesion.
    • CVE-2025-40714: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
    • CVE-2025-40715: mensaje parameter in /QISClient/api/v1/sucesospaginas.
    • CVE-2025-40716: suceso.contenido parameter in /QMSCliente/Sucesos.action.
    • CVE-2025-40717: pagina.filter.categoria parameter in /QuiterGatewayWeb/api/v1/sucesospagina.
  • CVE-2025-40718: Improper error handling vulnerability in QuiterWeb AutoWeb v7.0 from Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
  • Reflected Cross-site Scripting (XSS) vulnerabilities in QuiterWeb AutoWeb v7.0 from Quiter. These vulnerabilities allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40719: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40720: campo parameter in /<Client>FacturaE/VerFacturaPDF.
    • CVE-2025-40721: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
References list
Manufacturer's website
Etiquetas