Reflected XSS Vulnerability in Quiter Gateway by Quiter
CVE-2025-40721

5.1MEDIUM

Key Information:

Vendor: Quiter
Status: Quiter Gateway (java War On Apache Tomcat)
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-40721?

A reflected cross-site scripting (XSS) vulnerability exists in Quiter Gateway, particularly in versions prior to 4.7.0. This vulnerability can be exploited by attackers to execute arbitrary JavaScript code in a victim's browser. The attack is facilitated by sending a specially crafted URL that includes the malicious payload via the id_factura parameter in the /FacturaE/listado_facturas_ficha.jsp endpoint. Website administrators and users are encouraged to update their systems to the latest version to mitigate the risk.

Affected Version(s)

Quiter Gateway (Java WAR on Apache Tomcat) 0 < 4.7.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

David Carrión Poza