CVE-2025-59763
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system access, compromise sensitive data, and pivot to other systems.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access their data, and perform unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited via phishing emails or malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v25.04 or later
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Download the latest version from AndSoft's official website. 2. Backup current installation. 3. Install the update following vendor instructions. 4. Restart the application server.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allConfigure WAF to block requests containing malicious script patterns in the vulnerable parameters.
Input Validation Filter
windowsImplement server-side input validation to sanitize the 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Monitor and block suspicious URLs containing the vulnerable parameters in web server logs.
🔍 How to Verify
Check if Vulnerable:
Test by accessing the login form with a harmless payload like 'test' in the vulnerable parameters and check if it reflects unsanitized.Check Version:
Check the application's about page or configuration files for version information.Verify Fix Applied:
After patching, test with the same payload to confirm it's properly encoded or blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to '/clt/LOGINFRM_EK.ASP' with suspicious parameter values containing script tags or JavaScript code.
Network Indicators:
- Unusual redirects from the login page, unexpected JavaScript execution in browser traffic.
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_EK.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND value CONTAINS "<script>"