CVE-2025-59769
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing the 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to the e-TMS system, modifies configurations, accesses sensitive transportation management data, and potentially pivots to other systems.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses sensitive transportation data, modifies shipment information, or redirects users to phishing sites.
If Mitigated
With proper input validation and output encoding, the malicious scripts are neutralized, preventing execution while maintaining normal system functionality.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized. Attack requires user interaction (clicking malicious link) but no authentication to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available information
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Check AndSoft vendor website for security updates. 2. Apply any available patches for e-TMS. 3. Verify the fix by testing the vulnerable parameters.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block malicious XSS payloads targeting the vulnerable parameters
Input Validation Filter
windowsAdd server-side input validation for the affected parameters to sanitize user input
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Deploy network segmentation to restrict access to the vulnerable application and monitor for suspicious URL patterns
🔍 How to Verify
Check if Vulnerable:
Test the '/clt/LOGINFRM_MOL.ASP' endpoint with XSS payloads in the 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters and check if scripts execute in browserCheck Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Retest the vulnerable parameters with XSS payloads and verify scripts do not execute; check that input is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in '/clt/LOGINFRM_MOL.ASP' requests
- Requests containing JavaScript keywords in parameter values
- Multiple failed login attempts from same IP
Network Indicators:
- HTTP requests with suspicious characters (<, >, script, javascript) in parameter values
- Unusual referral URLs containing the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="/clt/LOGINFRM_MOL.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value="*<script>*" OR value="*javascript:*" OR value="*onerror=*" OR value="*onload=*")