The Cybersecurity and Infrastructure Security Agency (CISA) has added Telerik and Zoho vulnerabilities to its Known Exploited Vulnerabilities Catalog.
CISA warned “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”
As a result, this vulnerability has been added to the Catalog based on evidence of active exploitation.
Telerik CVE-2017-11357
CISA added a Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability (CVE-2017-11357) to the exploited vulnerabilities catalog on January 26, 2023.
Telerik AD is a Bulgarian company offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development.
The vulnerability is rated Critical and has a CVSS base score of 9.8.
“Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code,” NIST noted in an advisory first published in August 23, 2017 (last updated January 27, 2018).
Telerik also published a kbase article with more recent updates regarding the issue on January 5, 2021:
“Due to the .NET JavaScriptSerializer Deserialization (CVE-2019-18935) vulnerability, we strongly recommend upgrading to R1 2020 (version 2020.1.114) or later since the patches provided for CVE-2017-1135, CVE-2014-2217 and CVE-2017-11317 do not prevent it.“
Zoho ManageEngine CVE-2022-47966
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability (CVE-2022-47966) to the exploited vulnerabilities catalog on January 23, 2023.
ManageEngine, a division of Zoho, makes enterprise IT management software for service management, operations management, Active Directory and security needs.
As the IT management division of Zoho Corporation, ManageEngine, prioritizes flexible solutions that work for all businesses, regardless of size or budget.
The vulnerability is rated Critical and has a CVSS base score of 9.8.
“Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections,” NIST wrote on January 18, 2023 (last updated January 25, 2023).
Moreover, ManageEngine posted a security advisory and confirmed CVE-2022-47966 is applicable only when SAML SSO has been enabled in the ManageEngine setup. However, ManageEngine On-Demand/cloud products are not affected by this issue.
Readers can check out the latest details on CISA’s Known Exploited Vulnerabilities Catalog.