SAP Security Notes, May 2021
Note 3046610 patches a high priority code injection vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Program RDDPUTJR may be executed by attackers to inject malicious code. The note replaces the code of the report with an exit statement. The program can be deleted by the support packages included in the note. Access to SA38 and SE38 can be restricted as a workaround.
Notes 3049755 and 3049661 deal with multiple vulnerabilities in SAP Business One. This includes code injection, OS command injection, and information disclosure.
Notes 3012021 and 2745860 patch XML injection, information disclosure and unrestricted file upload vulnerabilities the Integration Builder Framework of SAP Process Integration.