CVE-2022-21587 & CVE-2023-22952 Vulnerabilities Being Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities impacting Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite and SugarCRM software to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.

The first now-patched critical flaw, tracked as CVE-2022-21587, is rated 9.8 on the CVSS scoring system and could be leveraged to take over Oracle Web Applications Desktop Integrator. An unspecified vulnerability in Oracle E-Business Suite related to the Web Applications Desktop Integrator Application Service Upload component could allow an unauthenticated attacker to cause a high confidentiality impact, high integrity impact, and high availability impact.

The bug impact product Oracle Web Applications Desktop Integrator versions 12.2.3 and 12.2.11 have been addressed in the Oracle Critical Patch Update Advisory – October 2022.

Another flaw tracked as CVE-2023-22952 (CVSS score of 8.8) affects SugarCRM which could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation. By sending a specially-crafted request using the EmailTemplates, an attacker could exploit this vulnerability to execute arbitrary PHP code on the system.