Description:The Magento 2.0.3 EE and CE releases contains multiple security and functional fixes. You can find more details about the vulnerabilities addressed by this release below.
The following vulnerabilities are being addressed within this update:
- APPSEC-1263 - Server-side cross-site scripting via user name
- APPSEC-1379 - Reflected cross-site scripting in Authorize.net module
- APPSEC-1337 - Arbitrary PHP code execution using language packs
- APPSEC-1377 - API token access vulnerable to brute force attacks
- APPSEC-1378 - Web API allows anonymous access
- APPSEC-1303 - Weak encryption keys when generated from Manage Encryption Keys page
Affected versions: Magento CE and EE prior to 2.0.3
Solution: Follow Magento security best practices and apply update.