CVE-2025-59757
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to execute arbitrary JavaScript in victims' browsers by tricking them into clicking malicious URLs containing specially crafted parameters. Organizations using AndSoft's e-TMS v25.03 are affected, particularly those with internet-facing login interfaces.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware through drive-by downloads.
Likely Case
Session hijacking leading to unauthorized access, credential theft, or defacement of the application interface.
If Mitigated
Limited impact if proper input validation, output encoding, and Content Security Policy are implemented.
🎯 Exploit Status
Reflected XSS typically requires user interaction but is easily weaponized in phishing campaigns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Contact AndSoft for patch availability. 2. Apply vendor-provided security update. 3. Test in non-production environment first.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and proper output encoding for the vulnerable parameters.
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block XSS payloads targeting the vulnerable parameters.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution.
- Monitor and filter malicious traffic patterns targeting the vulnerable endpoint.
🔍 How to Verify
Check if Vulnerable:
Test the '/clt/LOGINFRM_CATOLD.ASP' endpoint with XSS payloads in parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn.Check Version:
Check application version in interface or configuration files; vendor-specific method required.Verify Fix Applied:
Retest with XSS payloads after applying fixes; ensure scripts don't execute and inputs are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags or JavaScript in access logs for LOGINFRM_CATOLD.ASP.
Network Indicators:
- HTTP requests with suspicious parameters containing script patterns or encoded payloads.
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_CATOLD.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value="<script>" OR value="javascript:" OR value="onerror=" OR value="onload=")