CVE-2025-59774
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in AndSoft's e-TMS v25.03 allows attackers to inject malicious JavaScript via specially crafted URLs containing malicious parameters. When victims click these links, the attacker can execute arbitrary code in their browser sessions. Organizations using the vulnerable e-TMS version are affected.
💻 Affected Systems
- AndSoft e-TMS
📦 What is this software?
E Tms by Andsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact if input validation and output encoding are properly implemented, though the vulnerability still exists.
🎯 Exploit Status
Reflected XSS typically requires user interaction (clicking a link) but is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/update-24092025-multiple-vulnerabilities-andsofts-e-tms
Restart Required: No
Instructions:
Check vendor advisory for updates. Apply any available patches from AndSoft. If no patch exists, implement workarounds immediately.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and proper output encoding for all user inputs, especially the vulnerable parameters.
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block requests containing suspicious JavaScript patterns in the vulnerable parameters.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution sources.
- Monitor and block access to the vulnerable '/clt/LOGINFRM_VON.ASP' endpoint if not required.
🔍 How to Verify
Check if Vulnerable:
Test by sending crafted XSS payloads in the 'l, demo, demo2, TNTLOGIN, UO, SuppConn' parameters to '/clt/LOGINFRM_VON.ASP' and check if they execute.Check Version:
Check the application version in the interface or configuration files.Verify Fix Applied:
Retest with the same payloads after applying fixes; ensure they are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in '/clt/LOGINFRM_VON.ASP' requests containing script tags or JavaScript code.
Network Indicators:
- HTTP requests with suspicious parameters to the vulnerable endpoint.
SIEM Query:
source="web_server" AND uri="/clt/LOGINFRM_VON.ASP" AND (param="l" OR param="demo" OR param="demo2" OR param="TNTLOGIN" OR param="UO" OR param="SuppConn") AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")