CVE-2025-59756
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS v25.03 allows attackers to execute arbitrary JavaScript in victims' browsers by tricking them into clicking malicious URLs containing specially crafted parameters. Organizations using the vulnerable e-TMS version are affected, particularly those with internet-facing login interfaces.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete system compromise.
Likely Case
Attackers will typically use this to steal session cookies and hijack user accounts, potentially accessing sensitive transportation management data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution in user browsers.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link) but requires no authentication to exploit
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version beyond v25.03
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Contact AndSoft for updated version 2. Backup current installation 3. Apply vendor-provided patch 4. Restart application services 5. Verify fix implementation
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side input validation for the vulnerable parameters to reject malicious payloads
Implement ASP input validation: Server.HTMLEncode(Request.QueryString("parameter")) for each vulnerable parameter
Web Application Firewall Rules
allConfigure WAF to block requests containing JavaScript patterns in the vulnerable parameters
Add WAF rule: Block requests where query parameters contain <script>, javascript:, or common XSS payload patterns
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test by sending crafted XSS payloads to the vulnerable parameters in /clt/LOGINFRM_CON.ASP and checking if scripts executeCheck Version:
Check application version in admin interface or consult vendor documentationVerify Fix Applied:
Test with same XSS payloads after patching - scripts should be properly encoded and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags or JavaScript in access logs
- Multiple failed login attempts with suspicious parameters
Network Indicators:
- HTTP requests to login form with encoded script payloads in query parameters
- Outbound connections to suspicious domains following login attempts
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_CON.ASP" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")