Security News > 2023 > February > CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency on February 2 added two security flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587, a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.
"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said.
The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022.
Not much is known about the nature of the attacks exploiting the vulnerability.
The development comes a week after CISA also added CVE-2017-11357, a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.
News URL
https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html
Related news
- CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25 (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- CISA orders agencies to patch Linux kernel bug exploited in attacks (source)
- CISA Adds Four Vulnerabilities to Catalog for Federal Enterprise (source)
- CISA Adds Palo Alto Networks and SonicWall Flaws to Exploited Vulnerabilities List (source)
- CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks (source)
- CISA flags Craft CMS code injection flaw as exploited in attacks (source)
- Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA (source)
- CISA tags Windows, Cisco vulnerabilities as actively exploited (source)
- CISA Identifies Five New Vulnerabilities Currently Being Exploited (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-10-18 | CVE-2022-21587 | Missing Authentication for Critical Function vulnerability in Oracle E-Business Suite Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). | 9.8 |
2017-08-23 | CVE-2017-11357 | Unrestricted Upload of File with Dangerous Type vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 9.8 |