The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
on
February
2
added
two
security
flaws
to
its
Known
Exploited
Vulnerabilities
(KEV)
Catalog,
citing
evidence
of
active
exploitation.
The
first
of
the
two
vulnerabilities
is
CVE-2022-21587
(CVSS
score:
9.8),
a
critical
issue
impacting
versions
12.2.3
to
12.2.11
of
the
Oracle
Web
Applications
Desktop
Integrator
product.
“Oracle
E-Business
Suite
contains
an
unspecified
vulnerability
that
allows
an
unauthenticated
attacker
with
network
access
via
HTTP
to
compromise
Oracle
Web
Applications
Desktop
Integrator,”
CISA
said.
The
issue
was
addressed
by
Oracle
as
part
of
its
Critical
Patch
Update
released
in
October
2022.
Not
much
is
known
about
the
nature
of
the
attacks
exploiting
the
vulnerability.
The
second
security
flaw
to
be
added
to
the
KEV
catalog
is
CVE-2023-22952
(CVSS
score:
8.8),
which
relates
to
a
case
of
missing
input
validation
in
SugarCRM
that
could
result
in
the
injection
of
arbitrary
PHP
code.
The
bug
has
been
fixed
in
SugarCRM
versions
11.0.5
and
12.0.2.
The
development
comes
a
week
after
CISA
also
added
CVE-2017-11357
(CVSS
score:
9.8),
a
severe
security
vulnerability
impacting
Telerik
UI
that
could
facilitate
arbitrary
file
uploads
or
remote
code
execution.
In
light
of
active
exploitation
attempts,
Federal
Civilian
Executive
Branch
(FCEB)
agencies
in
the
U.S.
are
required
to
apply
the
patches
by
February
23,
2023.
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.