Description
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
References (2)
Core 2
Core References
Product, Release Notes, Vendor Advisory x_refsource_misc
https://docs.genesys.com/Documentation/IWD
Exploit, Patch, Third Party Advisory x_refsource_misc
https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861/
Scores
CVSS v3
7.2
EPSS
0.0168
EPSS Percentile
74.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
genesys/intelligent_workload_distribution_manager
9.0.013.11 - 9.0.017.07
Published
Dec 08, 2021
Tracked Since
Feb 18, 2026