CVE-2025-59766
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS v25.03 allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can execute arbitrary code in their browser session. Organizations using the vulnerable e-TMS version are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a malicious link) but requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
Check vendor advisory for updates. If patch available, apply following vendor instructions. Otherwise implement workarounds.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side validation to sanitize parameters 'l, demo, demo2, TNTLOGIN, UO, SuppConn' in LOGINFRM_LT.ASP
Implement ASP input validation: Server.HTMLEncode(Request.QueryString("parameter")) for each vulnerable parameter
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in query parameters
Configure WAF to filter: <script>, javascript:, onload=, onerror=, etc.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Monitor and block suspicious URLs containing the vulnerable parameters in web server logs
🔍 How to Verify
Check if Vulnerable:
Test by accessing /clt/LOGINFRM_LT.ASP?parameter=<script>alert('XSS')</script> for each vulnerable parameter and check if script executesCheck Version:
Check application version in interface or configuration filesVerify Fix Applied:
Repeat vulnerability test after fixes - scripts should not execute and should be properly encoded in output📡 Detection & Monitoring
Log Indicators:
- HTTP requests to LOGINFRM_LT.ASP containing script tags or JavaScript in query parameters
- Unusual parameter values in login requests
Network Indicators:
- URLs with encoded script payloads in parameters
- Requests to login page with suspicious query strings
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_LT.ASP" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")