CVE-2025-59761
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS v25.03 that allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking specially crafted URLs. Organizations using this specific version of AndSoft's e-TMS transportation management software are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking leading to unauthorized access to the transportation management system and potential data theft.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though user interaction would still be required.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking malicious link) but is straightforward to exploit once crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
Contact AndSoft vendor for patch information and apply when available. Monitor vendor communications for updates.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and proper output encoding for the vulnerable parameters
Implement input validation for 'l', 'demo', 'demo2', 'TNTLOGIN', 'UO', 'SuppConn' parameters
Apply HTML encoding to all user-controlled output
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads targeting the vulnerable endpoint
Configure WAF to block requests containing script tags and JavaScript in URL parameters
Create rule for /clt/LOGINFRM_DLG.ASP endpoint
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Restrict access to the vulnerable endpoint using network segmentation or authentication requirements
🔍 How to Verify
Check if Vulnerable:
Test by injecting XSS payloads into the vulnerable parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn in /clt/LOGINFRM_DLG.ASPCheck Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Verify that injected script payloads are properly sanitized and do not execute in browser📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags or JavaScript in access logs
- Multiple failed login attempts with suspicious parameters
Network Indicators:
- HTTP requests to /clt/LOGINFRM_DLG.ASP with encoded script payloads in parameters
- URLs containing JavaScript code in query strings
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_DLG.ASP" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")