CVE-2025-59772
📋 TL;DR
This is a reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS version 25.03 that allows attackers to execute malicious JavaScript in victims' browsers by tricking them into clicking specially crafted URLs. The vulnerability affects the '/clt/LOGINFRM_SIL.ASP' page through parameters like 'l', 'demo', 'demo2', 'TNTLOGIN', 'UO', and 'SuppConn'. Organizations using this specific version of the e-TMS software are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface for targeted users.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a link) but is straightforward to exploit once the vulnerable parameters are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
Check with AndSoft for an updated version or patch. If unavailable, implement input validation and output encoding on the affected ASP page.
🔧 Temporary Workarounds
Implement Input Validation
windowsAdd server-side validation to sanitize the vulnerable parameters before processing.
Modify LOGINFRM_SIL.ASP to validate and encode parameters: l, demo, demo2, TNTLOGIN, UO, SuppConn
Deploy WAF Rules
allConfigure web application firewall to block requests containing suspicious JavaScript patterns in the vulnerable parameters.
Add WAF rule to detect and block XSS patterns in: l, demo, demo2, TNTLOGIN, UO, SuppConn parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution
- Use browser security features like HttpOnly cookies and SameSite attributes to limit session theft
🔍 How to Verify
Check if Vulnerable:
Test by sending crafted XSS payloads to the vulnerable parameters in /clt/LOGINFRM_SIL.ASP and checking if they execute in the response.Check Version:
Check the application interface or configuration files for version information (typically shows v25.03 in vulnerable installations).Verify Fix Applied:
Verify that input validation or encoding prevents XSS payloads from executing in the browser when testing the same parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags or JavaScript in requests to LOGINFRM_SIL.ASP
- Multiple failed login attempts from the same IP with suspicious parameters
Network Indicators:
- HTTP requests with encoded script payloads in the vulnerable parameters
- Unusual redirects or outbound connections from the e-TMS server
SIEM Query:
source="e-tms" AND uri="/clt/LOGINFRM_SIL.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")