SAP Security Notes, May 2022
Hot news note 3165801 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP. The notes introduces an authorization check for object S_OC_SEND to prevent the transmission of the contents of ABAP list output from the System Menu via e-mail. The note impacts all versions of SAP_BASIS from 700 to 788.
Notes 2756188 and 2754555 patch Cross-Site Request Forgery (CSRF) vulnerabilities in the front end and back end of Bank Payments of the Fiori UI for Financial Accounting.
Note 2998510 provides a fix for an information disclosure vulnerability in the Central Management Server (CMS) of SAP BusinessObjects that could lead to the leakage of authentication credentials in Sysmon event logs.
Central note 3170990 was updated with note 3189409 to include a patch for the critical Sping4Shell Remote Code Execution vulnerability in SAP Business One Cloud.