CVE-2025-59771
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS allows attackers to inject malicious JavaScript via specially crafted URLs containing the 'l, demo, demo2, TNTLOGIN, UO and SuppConn' parameters. When victims click these links, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Organizations using AndSoft e-TMS v25.03 are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, deface the application, or perform unauthorized actions on behalf of authenticated users.
Likely Case
Attackers will typically use this to steal session cookies and hijack user accounts, potentially gaining access to sensitive transportation management data.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing execution in victim browsers.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited via phishing emails or malicious links. No authentication is required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
1. Contact AndSoft vendor for patch availability. 2. Apply any available security updates. 3. Test the fix in a non-production environment first.
🔧 Temporary Workarounds
Input Validation Filter
windowsImplement server-side input validation to sanitize the vulnerable parameters before processing.
Implement ASP input validation: <% Function SanitizeInput(input) input = Replace(input, "<", "<") input = Replace(input, ">", ">") input = Replace(input, "'", "'") input = Replace(input, "\"", """) SanitizeInput = input End Function %>
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests containing script payloads.
Configure WAF rules to block requests containing: <script>, javascript:, onerror=, onload=, etc.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Disable or restrict access to the vulnerable '/clt/LOGINFRM_MRK.ASP' endpoint if not required.
🔍 How to Verify
Check if Vulnerable:
Test by accessing: http://[target]/clt/LOGINFRM_MRK.ASP?l=<script>alert('XSS')</script> and checking if script executes.Check Version:
Check application version in web interface or contact vendor for version identification method.Verify Fix Applied:
Retest with the same payload after applying fixes - the script should not execute and should be properly encoded in output.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to LOGINFRM_MRK.ASP containing script tags or JavaScript code in parameters
- Unusual parameter values in l, demo, demo2, TNTLOGIN, UO, SuppConn parameters
Network Indicators:
- HTTP requests with encoded script payloads in query strings
- Multiple failed login attempts followed by suspicious parameter values
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_MRK.ASP" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:" OR query CONTAINS "onerror=" OR query CONTAINS "onload=")