CVE-2025-59759
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing parameters like 'l', 'demo', 'demo2', 'TNTLOGIN', 'UO', and 'SuppConn'. When victims click these malicious links, the attacker can execute arbitrary code in their browser session. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact if proper input validation, output encoding, and Content Security Policy are implemented.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Check vendor advisory for patch availability. 2. If patch exists, download from official vendor source. 3. Apply patch following vendor instructions. 4. Test application functionality.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side validation to sanitize the vulnerable parameters before processing.
Implement ASP input validation for parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn
Web Application Firewall (WAF)
allDeploy WAF rules to block requests containing suspicious JavaScript patterns in the vulnerable parameters.
Configure WAF to block: <script>, javascript:, onload=, etc. in query parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Monitor and block access to '/clt/LOGINFRM_DELCROIX.ASP' with suspicious parameter values containing script tags or JavaScript.
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to /clt/LOGINFRM_DELCROIX.ASP with parameters containing <script>alert('XSS')</script> and check if script executes in response.Check Version:
Check application interface or configuration files for version information (typically v25.03).Verify Fix Applied:
Repeat the test with malicious payloads; successful fix should show encoded output or blocked execution.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to LOGINFRM_DELCROIX.ASP with parameters containing <script>, javascript:, or other XSS payloads
Network Indicators:
- Unusual traffic patterns to the vulnerable endpoint with encoded or obfuscated JavaScript in URLs
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_DELCROIX.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND payload CONTAINS "<script>"