CVE-2025-34141
BaseFortify
Publication date: 2025-07-22
Last updated on: 2025-11-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hexagon_etq | etq_reliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected cross-site scripting (XSS) issue in the ETQ Reliance CG (legacy) platform's SQLConverterServlet component. It occurs when an attacker crafts a malicious link that, when clicked by an authenticated user, causes unauthorized scripts to execute in the user's browser context. The affected servlet was unnecessarily exposed to authenticated users but has been disabled in a later version (SE.2025.1) to mitigate the issue.
How can this vulnerability impact me? :
The vulnerability can lead to execution of unauthorized scripts in the context of an authenticated user, potentially allowing attackers to steal session tokens, perform actions on behalf of the user, or manipulate the user interface. This can compromise user data and the integrity of the application.
What immediate steps should I take to mitigate this vulnerability?
The affected SQLConverterServlet component should be disabled or removed, as it was unnecessarily exposed to authenticated users. Upgrading to version SE.2025.1 or later, where this servlet has been disabled, is recommended to mitigate this vulnerability.