CVE-2025-59765
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using e-TMS v25.03 with internet-facing login pages are primarily affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, compromise sensitive data, and pivot to internal networks.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access their data, and perform unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing successful exploitation.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Monitor AndSoft vendor communications for patches. 2. Apply any available security updates immediately. 3. Test updates in non-production environment first.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block malicious XSS payloads targeting the vulnerable parameters
Input Validation Filter
windowsImplement server-side input validation to sanitize the vulnerable parameters
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy the application behind a reverse proxy with XSS filtering capabilities
🔍 How to Verify
Check if Vulnerable:
Test by injecting basic XSS payloads into the vulnerable parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn in /clt/LOGINFRM_LF.ASPCheck Version:
Check application version in administrative interface or configuration filesVerify Fix Applied:
Re-test with XSS payloads after applying mitigations to confirm scripts are no longer executed📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags or JavaScript in login requests
- Multiple failed login attempts with suspicious parameter values
Network Indicators:
- HTTP requests to /clt/LOGINFRM_LF.ASP containing script tags or JavaScript in parameters
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_LF.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")