CVE-2025-59753
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to the e-TMS system, modifies configurations, accesses sensitive data, and potentially pivots to other systems.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses their data within the e-TMS system, and potentially performs unauthorized actions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing exploitation.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit once the vulnerable parameters are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Contact AndSoft for patch availability. 2. If patch exists, download from vendor. 3. Apply patch according to vendor instructions. 4. Test functionality after patching.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allConfigure WAF to block requests containing suspicious JavaScript patterns in the vulnerable parameters.
WAF-specific configuration commands vary by vendor
Input Validation Filter
windowsImplement server-side input validation to sanitize the vulnerable parameters before processing.
ASP code modifications required - specific to application
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Deploy network segmentation to isolate the e-TMS system from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to '/clt/LOGINFRM_BET.ASP' with parameters containing simple XSS payloads like <script>alert('XSS')</script> and check if script executes in response.Check Version:
Check application version in web interface or consult system documentation (no standard command provided by vendor)Verify Fix Applied:
Retest with the same XSS payloads after applying fixes - scripts should be properly encoded or blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to LOGINFRM_BET.ASP containing script tags or JavaScript in parameters
- Unusual parameter values in login-related requests
Network Indicators:
- HTTP requests with encoded script payloads in URL parameters
- Multiple failed login attempts followed by suspicious parameter values
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_BET.ASP" AND (param="<script>" OR param="javascript:" OR param="onerror=" OR param="onload=")