CVE-2025-59758 is a reflected Cross-Site Scripting (XSS) vulnerability identified in AndSoft's e-TMS software, specifically version 25.03. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. It affects multiple URL parameters ('l', 'demo', 'demo2', 'TNTLOGIN', 'UO', and 'SuppConn') within the '/clt/LOGINFRM_CYLOG.ASP' endpoint. An attacker can craft a malicious URL containing executable JavaScript code embedded in these parameters. When a victim accesses this URL, the injected script runs in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication (AV:N), has low attack complexity (AC:L), and does not require privileges (PR:N), but does require user interaction (UI:A) to trigger. The impact on confidentiality is low, with no direct impact on integrity or availability. The CVSS 4.0 score is 5.1 (medium severity), reflecting these factors. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was assigned by INCIBE and publicly disclosed on October 2, 2025.

For European organizations using AndSoft e-TMS v25.03, this vulnerability poses a moderate risk primarily to end users who access the vulnerable login page. Successful exploitation could lead to theft of session cookies or credentials, enabling attackers to impersonate legitimate users and access sensitive transportation management data. This could disrupt business operations, compromise shipment information, and lead to unauthorized data disclosure. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of compromised user accounts could be significant, especially for logistics companies handling sensitive or regulated goods. Additionally, regulatory compliance risks under GDPR may arise if personal data is exposed due to exploitation. The requirement for user interaction means phishing or social engineering campaigns could be used to lure victims into clicking malicious links, increasing the attack surface.

1. Implement proper input validation and output encoding on all affected parameters ('l', 'demo', 'demo2', 'TNTLOGIN', 'UO', 'SuppConn') in the '/clt/LOGINFRM_CYLOG.ASP' endpoint to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Educate users about the risks of clicking on suspicious links, especially those received via email or messaging platforms. 4. Monitor web server logs for unusual URL patterns targeting the vulnerable parameters to detect potential exploitation attempts. 5. If possible, restrict access to the login page to trusted networks or implement multi-factor authentication to reduce the impact of compromised credentials. 6. Coordinate with AndSoft for timely patch deployment once available and apply updates promptly. 7. Use web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting these parameters.