On February 2nd, the US Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue affecting versions 12.2.3 through 12.2.11 of the Oracle Web Applications Desktop Integrator product.
“Oracle E-Business Suite contains an unspecified vulnerability that allows unauthenticated attackers to gain network access over HTTP and compromise Oracle Web Applications Desktop Integrator.” CISA said.
This issue was addressed by Oracle as part of the Critical Patch Update released in October 2022. Little is known about the nature of attacks that exploit vulnerabilities.
The second security flaw added to the KEV catalog is CVE-2023-22952 (CVSS score: 8.8), which is related to missing input validation in SugarCRM that could lead to the injection of arbitrary PHP code. I’m here. This bug has been fixed in SugarCRM versions 11.0.5 and 12.0.2.
This development comes a week after CISA also added CVE-2017-11357 (CVSS score: 9.8). CVE-2017-11357 (CVSS score: 9.8) is a severe security vulnerability affecting Telerik UI that may facilitate arbitrary file uploads and remote code execution.
In light of active exploitation attempts, US Federal Civil Administration (FCEB) agencies have until February 23, 2023 to apply the patch.
