CVE-2021-40861
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution (IWD) 9.0.017.07 allows an attacker to execute arbitrary SQL queries via the value attribute, with which all data in the database can be extracted and OS command execution is possible depending on the permissions and/or database engine.
Una inyección SQL en el componente de consulta de filtro personalizado en Genesys intelligent Workload Distribution (IWD) versión 9.0.017.07, permite a un atacante ejecutar consultas SQL arbitrarias por medio del atributo value, con el que pueden extraerse todos los datos de la base de datos y es posible la ejecución de comandos del Sistema Operativo dependiendo de los permisos y/o del motor de la base de datos
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-09-10 CVE Reserved
- 2021-12-08 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.offensity.com/en/blog/authenticated-sql-injection-in-the-genesys-iwd-manager-cve-2021-40860-and-cve-2021-40861 | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://docs.genesys.com/Documentation/IWD | 2021-12-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Genesys Search vendor "Genesys" | Intelligent Workload Distribution Manager Search vendor "Genesys" for product "Intelligent Workload Distribution Manager" | >= 9.0.013.11 < 9.0.017.07 Search vendor "Genesys" for product "Intelligent Workload Distribution Manager" and version " >= 9.0.013.11 < 9.0.017.07" | - |
Affected
| ||||||