Security News > 2023 > February > CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack
2023-02-03 05:23

The U.S. Cybersecurity and Infrastructure Security Agency on February 2 added two security flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.

The first of the two vulnerabilities is CVE-2022-21587, a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.

"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said.

The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022.

Not much is known about the nature of the attacks exploiting the vulnerability.

The development comes a week after CISA also added CVE-2017-11357, a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.


News URL

https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-10-18 CVE-2022-21587 Missing Authentication for Critical Function vulnerability in Oracle E-Business Suite
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload).
0.0
2017-08-23 CVE-2017-11357 Unrestricted Upload of File with Dangerous Type vulnerability in Telerik UI for Asp.Net Ajax
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
network
low complexity
telerik CWE-434
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Oracle 698 249 2225 1709 366 4549
Sugarcrm 1 0 9 38 4 51