CVE-2025-59762
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS v25.03 that allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking specially crafted URLs. The vulnerability affects users of the e-TMS web interface who access the vulnerable login form page.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of the login page through injected content.
If Mitigated
Limited impact if proper input validation, output encoding, and Content Security Policy are implemented.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited with simple malicious URLs. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Check vendor advisory for patch availability. 2. Apply any available security updates. 3. Test the fix in a non-production environment first.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation for the vulnerable parameters (l, demo, demo2, TNTLOGIN, UO, SuppConn) to reject malicious input.
Output Encoding
allApply proper HTML encoding to all user-controlled data before output in the ASP page.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Restrict access to the vulnerable page using network controls or authentication
🔍 How to Verify
Check if Vulnerable:
Test the vulnerable parameters in '/clt/LOGINFRM_DLG.ASP' with XSS payloads like <script>alert('XSS')</script>Check Version:
Check the e-TMS application version in the admin interface or configuration files.Verify Fix Applied:
Retest with XSS payloads after applying fixes to confirm they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in access logs for LOGINFRM_DLG.ASP
- Requests containing script tags or JavaScript in URL parameters
Network Indicators:
- HTTP requests to LOGINFRM_DLG.ASP with suspicious parameter values
- URLs containing encoded script tags or JavaScript
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_DLG.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value="*<script>*" OR value="*javascript:*")