CVE-2025-59767 is a reflected Cross-site Scripting (XSS) vulnerability identified in AndSoft's e-TMS version 25.03. The vulnerability arises from improper neutralization of input during web page generation, specifically involving the parameters 'l', 'demo', 'demo2', 'TNTLOGIN', 'UO', and 'SuppConn' within the '/clt/LOGINFRM_LVE.ASP' endpoint. An attacker can craft a malicious URL containing JavaScript code embedded in these parameters, which, when accessed by a victim, executes within the victim's browser context. This execution can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability is classified under CWE-79, indicating failure to sanitize or encode user-supplied input properly before reflecting it in the web page output. The CVSS v4.0 base score is 5.1 (medium severity), with attack vector being network (remote), low attack complexity, no privileges required, but user interaction is necessary (victim must click the malicious link). The vulnerability impacts confidentiality partially (VC:L), with limited scope and no impact on integrity or availability. No known exploits have been reported in the wild, and no patches are currently available. The vulnerability was published on October 2, 2025, with INCIBE as the assigner. Given the nature of the vulnerability, it primarily targets web clients of the e-TMS application, potentially affecting users who access the vulnerable login page with manipulated parameters.

For European organizations using AndSoft's e-TMS v25.03, this vulnerability poses a moderate risk. The reflected XSS can be exploited to steal session cookies or credentials, leading to unauthorized access to the transportation management system. This can disrupt logistics operations, cause data leakage of sensitive shipment or client information, and facilitate further attacks such as phishing or malware delivery. Since e-TMS is likely used in supply chain and transport management, exploitation could impact operational continuity and data confidentiality. The requirement for user interaction (clicking a malicious link) somewhat limits the attack surface but does not eliminate risk, especially if phishing campaigns target employees. The limited impact on integrity and availability reduces the risk of direct system compromise or downtime but does not negate the potential for indirect consequences through credential theft or session hijacking. The absence of known exploits in the wild suggests the threat is currently theoretical but should be addressed proactively to prevent future exploitation.

1. Immediate implementation of input validation and output encoding on all affected parameters ('l', 'demo', 'demo2', 'TNTLOGIN', 'UO', 'SuppConn') within the '/clt/LOGINFRM_LVE.ASP' page to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing the e-TMS application. 3. Educate users and employees on phishing risks and encourage caution when clicking on unsolicited links, especially those targeting the e-TMS login page. 4. Monitor web server logs for suspicious URL patterns exploiting these parameters to detect attempted attacks. 5. Coordinate with AndSoft to obtain or request a security patch or update addressing this vulnerability. 6. Implement multi-factor authentication (MFA) on e-TMS accounts to reduce the impact of credential theft. 7. Regularly review and update web application firewall (WAF) rules to detect and block reflected XSS payloads targeting these parameters. 8. Conduct internal penetration testing focusing on the login page to verify the effectiveness of mitigations.