A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
References
Link | Resource |
---|---|
https://docs.genesys.com/Documentation/IWD | Product Release Notes Vendor Advisory |
https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/ | Exploit Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-12-08T14:58:13
Updated: 2021-12-08T14:58:13
Reserved: 2021-09-10T00:00:00
Link: CVE-2021-40861
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-12-08T15:15:10.127
Modified: 2021-12-13T15:08:28.390
Link: CVE-2021-40861
JSON object: View
Redhat Information
No data.
CWE