Cross Site Scripting Vulnerability within Genesys Workforce Management version 184.108.40.206
I identified this vulnerability over a year ago and due to multiple delays I have now only come around to submitting for a CVE. The job was performed while at work but checking with the client, they confirmed they were happy for me to report it as a CVE.
This issue was identified during a web application for a customer who was using the software provded by Genesys. It was a standard web application assessment that was performed over a number of days, however, it was performed over a Citrix session which is something that I never ever want to do again. I spent the time wondering if the client was watching my every move, as they had confirmed that they couldn’t do any work anyway because I was essentially controlling their laptop! Not something I’d reccomend.
The payload used was <video src=1 onerror=alert(1)>
Information regarding the notification of of this to Genesys was originally started around July 2020. The following is a rough timeline of the steps taken to contact the vendor.
July 16th 2020 — Sent a DM to Genesys on Twitter regarding the issue identified
July 27th 2020 — No response so I left a comment on a Tweet about the DM. A response was provided via DM with an apology from Genesys and details around an internal contact to email about the issue.
July 28th 2020 — Sent an email to the internal contact detailing the issue.
August 10th 2020 — Sent a follow up email to internal contact asking for an update.
September 29th 2020 — Sent an follow up DM to the Twitter account asking if it could be chased
October 14th 2020 — I did get a response apologising and was provided with a contact form that I had previously filled in with no response.
Feb 2nd 2021 — Raised CVE Request
Sept 23rd 2021 — Request for more information from Mitre leading to this blog post.