Reflected Cross-Site Scripting Vulnerability in Quiter Gateway by Quiter
CVE-2025-40719

5.1MEDIUM

Key Information:

Vendor: Quiter
Status: Quiter Gateway (java War On Apache Tomcat)
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-40719?

A reflected cross-site scripting (XSS) vulnerability exists in Quiter Gateway versions prior to 4.7.0. This flaw enables cybercriminals to execute arbitrary JavaScript in the context of a user's browser. Attackers exploit this vulnerability by crafting malicious URLs that manipulate the id_concesion parameter within the /FacturaE/VerFacturaPDF endpoint, allowing them to launch attacks that can compromise user data and session integrity.

Affected Version(s)

Quiter Gateway (Java WAR on Apache Tomcat) 0 < 4.7.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

David Carrión Poza