CVE-2025-59764
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using AndSoft e-TMS v25.03 with the vulnerable '/clt/LOGINFRM_FCC.ASP' page are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, compromise sensitive data, and potentially pivot to internal networks.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access their data, and perform unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing successful exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns and require minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version as advised by vendor
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: Yes
Instructions:
1. Contact AndSoft for the latest patched version. 2. Backup current installation. 3. Apply vendor-provided patch. 4. Restart the application server. 5. Verify the fix.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side input validation to sanitize 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters
Implement ASP input validation: <% Function CleanInput(str) str = Replace(str, "<", "") str = Replace(str, ">", "") str = Replace(str, "'", "") str = Replace(str, "\"", "") CleanInput = str End Function %>
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in URL parameters
Configure WAF rule: Block requests containing <script>, javascript:, onload=, etc. in query parameters
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Disable or restrict access to '/clt/LOGINFRM_FCC.ASP' if not required
🔍 How to Verify
Check if Vulnerable:
Test by accessing: http://[target]/clt/LOGINFRM_FCC.ASP?l=<script>alert('XSS')</script> and checking if script executesCheck Version:
Check application interface or configuration files for version informationVerify Fix Applied:
Retest with same payload - script should not execute and input should be properly encoded📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in access logs
- Requests containing script tags or JavaScript in URL parameters
- Multiple failed login attempts from same IP
Network Indicators:
- HTTP requests with suspicious parameters like <script>, javascript:, or encoded payloads
- Unusual redirects from login page
SIEM Query:
source="web_logs" AND (url="*LOGINFRM_FCC.ASP*" AND (param="*<script>*" OR param="*javascript:*" OR param="*onload=*"))