CVE-2025-40713 PUBLISHED

SQL injection vulnerability in Quiter Gateway

Assigner: INCIBE
Reserved: 16.04.2025 Published: 08.07.2025 Updated: 10.07.2025

SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo parameter in/<Client>FacturaE/BusquedasFacturasSesion.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor Quiter
Product Quiter Gateway (Java WAR on Apache Tomcat)
Versions Default: unaffected
  • affected from 0 to 4.7.0 (excl.)

Solutions

The vulnerability has been fixed by Quiter team in the latest version.

Credits

  • David Carrión Poza finder

References

Problem Types

  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE