Had a site reporting the same vulnerability and after upgrading to 2024R2.3 this was no longer being reported.
I checked the release documentation and it is not listed as was expected in 2025R1. Can only assume it may have been squeezed into the r2.2 or r2.3 patch??

We have had reports of this too.
As Sage CRM 2023 R2 is supported until 31st December 2026, I would expect this would have been resolved somewhere up to 2023 R2.6, we'll be patching a site to this release next week, so I'll report back if their cyber team approve it / or don't.

Tomcat is a separate component and this links tells how to update Tomcat version separate from CRM version.

communityhub.sage.com/.../manually-updating-the-tomcat-version