...

These patch versions will be included in the following official Critical Service Patch (CSP) releases for both Nolana and Orchid (Details TBD).:

• Nolana CSP #2
• Orchid CSP #4

System operators are advised to immediately apply this fix for both modules if they haven't done so already.

...

N.B. After changing SYSTEM_USER_PASSWORD or SYSTEM_USER_NAME it is NOT sufficient to only redeploy the module; you also MUST reinstall the module as show above.

N.B. Disabling an affected module is NOT sufficient to fix the vulnerability.

Am I a victim?

Unfortunately the Folio Security Team is unaware of a way to conclusively determine if these vulnerabilities have been exploited.  OKAPI does log the user ID for all proxied requests, so you may look for unusual activity associated with either of these users.  Depending on your hosting infrastructure, it may also be possible to look at load balancer and/or reverse proxy logs, but there may not be enough information logged there if request payloads/certain headers aren't captured.  You may want to review logs as far back as when you upgraded to Nolana.