The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two safety flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing proof of lively exploitation.
The first of the 2 vulnerabilities is CVE-2022-21587 (CVSS rating: 9.8), a essential problem impacting variations 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product.
“Oracle E-Business Suite incorporates an unspecified vulnerability that permits an unauthenticated attacker with community entry by way of HTTP to compromise Oracle Web Applications Desktop Integrator,” CISA mentioned.
The problem was addressed by Oracle as a part of its Critical Patch Update launched in October 2022. Not a lot is thought in regards to the nature of the assaults exploiting the vulnerability.
The second safety flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS rating: 8.8), which pertains to a case of lacking enter validation in SugarCRM that might end result within the injection of arbitrary PHP code. The bug has been fastened in SugarCRM variations 11.0.5 and 12.0.2.
The growth comes every week after CISA additionally added CVE-2017-11357 (CVSS rating: 9.8), a extreme safety vulnerability impacting Telerik UI that might facilitate arbitrary file uploads or distant code execution.
In mild of lively exploitation makes an attempt, Federal Civilian Executive Branch (FCEB) companies within the U.S. are required to use the patches by February 23, 2023.