CVE-2025-59768
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can execute arbitrary code in their browser session. This affects all users of the vulnerable e-TMS web application.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized before execution.
🎯 Exploit Status
Reflected XSS typically requires minimal technical skill to exploit once the vulnerable parameters are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. Apply any available patches for e-TMS v25.03. 3. Test the application after patching.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block requests containing suspicious JavaScript patterns in the vulnerable parameters.
Input Validation Filter
windowsAdd server-side validation to sanitize 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters before processing.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Disable or restrict access to the '/clt/LOGINFRM_MNG.ASP' endpoint if not required.
🔍 How to Verify
Check if Vulnerable:
Test by sending a request to '/clt/LOGINFRM_MNG.ASP' with parameters containing simple XSS payloads like <script>alert('test')</script> and check if script executes.Check Version:
Check application interface or configuration files for version information (typically shows v25.03 in about/help sections).Verify Fix Applied:
Retest with the same XSS payloads after implementing fixes; scripts should not execute and input should be properly encoded.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to LOGINFRM_MNG.ASP containing script tags or JavaScript code in parameter values.
- Unusual parameter values in login-related requests.
Network Indicators:
- URLs with encoded script payloads in parameters being sent to the e-TMS server.
SIEM Query:
source="web_server_logs" AND uri="/clt/LOGINFRM_MNG.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")