Security News > 2023 > February > CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack
The U.S. Cybersecurity and Infrastructure Security Agency on February 2 added two security flaws to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The first of the two vulnerabilities is CVE-2022-21587, a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.
"Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said.
The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022.
Not much is known about the nature of the attacks exploiting the vulnerability.
The development comes a week after CISA also added CVE-2017-11357, a severe security vulnerability impacting Telerik UI that could facilitate arbitrary file uploads or remote code execution.
News URL
https://thehackernews.com/2023/02/cisa-alert-oracle-e-business-suite-and.html
Related news
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- CISA urges software devs to weed out XSS vulnerabilities (source)
- Israel’s Pager Attacks and Supply Chain Vulnerabilities (source)
- Ivanti vTM auth bypass flaw exploited in attacks, CISA warns (CVE-2024-7593) (source)
- CUPS vulnerabilities could be abused for DDoS attacks (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-18 | CVE-2022-21587 | Missing Authentication for Critical Function vulnerability in Oracle E-Business Suite Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). | 9.8 |
| 2017-08-23 | CVE-2017-11357 | Unrestricted Upload of File with Dangerous Type vulnerability in Telerik UI for Asp.Net Ajax Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. | 9.8 |