cbcvebase.
CVE-2025-34141
published 2025-07-22

CVE-2025-34141: A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability…

PriorityP277medium5.1CVSS 4.0
AVNACLATNPRNUIAVCNVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.89%
77.0th percentile
A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
etqreliance_cg< SE.2025.1SE.2025.1
msrccbl2_numpy_1.16.6-3_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_numpy_1.16.6-2_on_cbl_mariner_1.0

Detection & IOCsextracted from sources · hover to see the quote

url/reliance/SQLConverterServlet?MySQLStm=%3C/textarea%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E
path/reliance/SQLConverterServlet
otherMySQLStm
yara
shodan-query: 'html:"ETQ Reliance"'
  • Detect exploitation attempts by matching HTTP requests to the SQLConverterServlet path with the MySQLStm parameter containing XSS payloads (e.g., URL-encoded HTML tags or event handlers).
  • Confirm vulnerable instances by checking HTTP response body for the string 'You have to start the ENGINE application before using this form.' alongside the reflected XSS payload.
  • Use Shodan or FOFA to identify exposed ETQ Reliance instances as potential targets: search for html:"ETQ Reliance" or body="ETQ Reliance".
  • The vulnerability is in the legacy CG platform's SQLConverterServlet component; monitor for any HTTP GET requests targeting this servlet path on ETQ Reliance deployments.
  • ·The vulnerability requires user interaction (authenticated user clicking a crafted link); exploitation is not fully unauthenticated/automated.
  • ·The SQLConverterServlet has been disabled in version SE.2025.1; patched instances will not respond to the exploit path, so detections should focus on unpatched (pre-SE.2025.1) deployments.
  • ·The Nuclei template uses a two-step flow: first resolving the base path via a redirect, then constructing the SQLConverterServlet URL dynamically; static path-based detections may need to account for non-default base paths.

CVSS provenance

nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.1MEDIUM
vendor_msrc5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.