Genesys Latitude SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Genesys Latitude version 25.1.0.420. This vulnerability allows authenticated attackers to execute arbitrary SQL queries against the backend database. The issue arises from unsanitized user input being directly concatenated into SQL statements, creating an opportunity for injection attacks. The vulnerability was discovered in the status parameter of the /InteractionCollectorWebClient/api/inventory endpoint, which is accessible through the 'Agent Desktop' navigation menu.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, enabling attackers to execute arbitrary SQL queries and potentially manipulate or extract data from the database.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the 'Agent Desktop' menu and select the 'Inventory' link. This action will access the vulnerable endpoint where the SQL injection can be executed by appending a single quote to the status parameter, triggering a database error that indicates improper input validation. Once the injection point is confirmed, tools like SQLMap can be used to automate the exploitation by enumerating the database system and its contents.