Multiple vulnerabilities in QuiterWeb AutoWeb by Quiter
Posted date 30/06/2025
Identificador
INCIBE-2025-0349
Importance
5 - Critical
Affected Resources
QuiterWeb AutoWeb, 7.0 version.
Description
INCIBE has coordinated the publication of 11 vulnerabilities: 7 of critical severity and 4 of medium severity, affecting Quiter's QuiterWeb AutoWeb, a complete software solution for the management of car dealerships and workshops. The vulnerabilities have been discovered by David Carrión Poza.
These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
- CVE-2025-40711 through CVE-2025-40717: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40718: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-209
- CVE-2025-40719 through CVE-2025-40721: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
There is no reported solution at this time.
Detail
- SQL injection vulnerabilities in QuiterWeb AutoWeb v7.0 from Quiter. These vulnerabilities allow an attacker to retrieve, create, update and delete databases. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40711: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40712: id_concesion parameter in /<Client>FacturaE/DescargarFactura.
- CVE-2025-40713: campo parameter in /<Client>FacturaE/BusquedasFacturasSesion.
- CVE-2025-40714: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
- CVE-2025-40715: mensaje parameter in /QISClient/api/v1/sucesospaginas.
- CVE-2025-40716: suceso.contenido parameter in /QMSCliente/Sucesos.action.
- CVE-2025-40717: pagina.filter.categoria parameter in /QuiterGatewayWeb/api/v1/sucesospagina.
- CVE-2025-40718: Improper error handling vulnerability in QuiterWeb AutoWeb v7.0 from Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information.
- Reflected Cross-site Scripting (XSS) vulnerabilities in QuiterWeb AutoWeb v7.0 from Quiter. These vulnerabilities allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40719: id_concesion parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40720: campo parameter in /<Client>FacturaE/VerFacturaPDF.
- CVE-2025-40721: id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp.
References list
Etiquetas