On 10.05.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within UI5.
SAP Note 2756188 addresses "Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments front-end" to prevent cross-site request forgery (xsrf) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process, the team suggests.
Risk specificationF0673 Approve Bank Payments allows an attacker to trick an authenticated user to send an unintended request to the webserver. This vulnerability is due to insufficient CSRF protection.
HTTP method changed from GET to POST.
The advisory is valid for
- UIAPFI70 300
- UIAPFI70 400