Vulnerability Details CVE-2021-40860
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the ql_expression parameter, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.032
EPSS Ranking 86.3%
CVSS Severity
CVSS v3 Score 7.2
CVSS v2 Score 6.5
References
- https://docs.genesys.com/Documentation/IWD
- https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/
- https://docs.genesys.com/Documentation/IWD
- https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/
Products affected by CVE-2021-40860
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.002.20
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.003.08
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.004.07
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.005.04
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.006.01
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.007.05
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.007.07
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.008.05
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.009.08
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.010.16
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.011.12
-
cpe:2.3:a:genesys:intelligent_workload_distribution_manager:9.0.012.08