CVE-2025-59746
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking a specially crafted URL. The vulnerability affects the 'm' parameter in the '/lib/asp/alert.asp' endpoint. Organizations using AndSoft e-TMS v25.03 are at risk.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Attackers will typically steal session cookies to hijack user accounts, potentially gaining access to sensitive transportation management data.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute JavaScript, limiting impact to parameter manipulation only.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns. The exploit requires user interaction (clicking a link) but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v25.04 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Download the latest version from AndSoft's official website. 2. Backup current installation and data. 3. Install the update following vendor instructions. 4. Restart the e-TMS application and verify functionality.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allConfigure WAF to block requests containing malicious JavaScript patterns in the 'm' parameter
WAF-specific configuration commands vary by vendor
Input Validation Filter
windowsImplement server-side input validation to sanitize the 'm' parameter
ASP code modifications required - consult developer documentation
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy network segmentation to isolate e-TMS from internet access
🔍 How to Verify
Check if Vulnerable:
Test by accessing /lib/asp/alert.asp?m=<script>alert('XSS')</script> and checking if JavaScript executesCheck Version:
Check application version in e-TMS admin interface or about pageVerify Fix Applied:
After patching, repeat the test above - JavaScript should not execute and input should be properly encoded📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /lib/asp/alert.asp with script tags in parameters
- Unusual parameter values containing JavaScript syntax
Network Indicators:
- URLs containing /lib/asp/alert.asp with encoded script payloads
- Multiple failed login attempts following suspicious URL access
SIEM Query:
source="web_logs" AND uri_path="/lib/asp/alert.asp" AND (param_m CONTAINS "<script>" OR param_m CONTAINS "javascript:")