CVE-2025-59754
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing the 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters. When victims click these malicious links, the attacker can execute arbitrary code in their browser session. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals session cookies, performs account takeover, redirects users to phishing sites, or performs actions on behalf of authenticated users.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact if input validation and output encoding are properly implemented, though some risk remains.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited with simple malicious URLs that don't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for updated version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Review the vendor advisory at the provided URL. 2. Apply the recommended patch from AndSoft. 3. Restart the e-TMS application services. 4. Verify the fix by testing the vulnerable parameters.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side input validation to sanitize the vulnerable parameters before processing.
Implement ASP input validation for parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests containing script payloads.
Configure WAF rules to detect and block XSS patterns in URL parameters
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Disable or restrict access to the vulnerable '/clt/LOGINFRM_original.ASP' endpoint if not required
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable parameters by sending XSS payloads like <script>alert('test')</script> in the l, demo, demo2, TNTLOGIN, UO, and SuppConn parameters to '/clt/LOGINFRM_original.ASP'.Check Version:
Check the e-TMS application interface or configuration files for version information (typically v25.03 for vulnerable systems).Verify Fix Applied:
After patching, repeat the XSS test with the same payloads and verify no script execution occurs.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to '/clt/LOGINFRM_original.ASP' containing script tags or JavaScript in parameters
- Unusual parameter values in login-related requests
Network Indicators:
- URLs with encoded script payloads in query parameters
- Requests with suspicious parameter names (l, demo, demo2, TNTLOGIN, UO, SuppConn) containing executable code
SIEM Query:
source="web_server" AND url="*LOGINFRM_original.ASP*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onerror=*" OR param="*onload=*")