CVE-2025-59760
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using e-TMS v25.03 with the vulnerable '/clt/LOGINFRM_DHL.ASP' page are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full system access, exfiltrates sensitive data, and potentially compromises the entire e-TMS deployment.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses their data, and performs unauthorized actions within their permission scope.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing successful exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited with simple malicious URLs. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Contact AndSoft for patch information. 2. Apply the official patch. 3. Restart the e-TMS application. 4. Verify the fix by testing the vulnerable parameters.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side input validation to sanitize the vulnerable parameters
Implement ASP input validation for parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads targeting the vulnerable endpoint
Configure WAF to block requests containing script tags and JavaScript in the vulnerable parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Deploy network segmentation to restrict access to the vulnerable application from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Test the '/clt/LOGINFRM_DHL.ASP' page by injecting simple XSS payloads like <script>alert('test')</script> into the vulnerable parametersCheck Version:
Check application version in e-TMS admin interface or configuration filesVerify Fix Applied:
After patching, retest with the same XSS payloads - they should be properly sanitized and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in '/clt/LOGINFRM_DHL.ASP' requests
- Requests containing script tags, JavaScript functions, or encoded payloads in vulnerable parameters
Network Indicators:
- HTTP requests to '/clt/LOGINFRM_DHL.ASP' with suspicious parameter values
- Outbound connections to unknown domains following access to vulnerable page
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_DHL.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:" OR value CONTAINS "onerror=" OR value CONTAINS "onload=")