Omission of key-controlled authorization in Qsige

Posted date 16/01/2024
3 - Medium
Affected Resources

Sinergia, Sinergia 2.0, and Sinergia Corporativo.


INCIBE has coordinated the publication of 1 vulnerability that affects IDMSistemas QSige, an intelligent queue management system, which has been discovered by Oscar Atienza.

This vulnerability have been assigned the following code, CVSS v3.1 base score, CVSS vector and the CWE vulnerability type of each vulnerability:

  • CVE-2024-0580: 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CWE-639. 

Update the 'locator' module of the affected product.

A patch was applied to this module on June 23, 2023. Please refer to the link (https://web/qsige.localizador/about) for details. If you are using an older version, you can contact IDM to upgrade your system.


CVE-2024-0580: omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product. This vulnerability allows an attacker to extract sensitive information from the API by making a request to the parameter '/qsige.locator/quotePrevious/centers/X', where X supports values 1,2,3, etc. Example: https://web/qsige.localizador/citaPrevia/centros/1.