Magento 2.0.6 Security Update

Posted on Posted in Magento

Description: Magento Enterprise Edition and Community Edition 2.0.6 are now available.

Items fixed:

  • Unauthenticated remote code execution via API - Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
  • Unauthenticated reinstallation leading to remote code execution - The Magento installation code is no longer accessible once the installation process has completed
  • Customer account takeover - Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls.
  • Reflected cross-site scripting in Authorize.net module - Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks
  • Data privacy issues in APIs - Anonymous users can no longer retrieve the private data of registered customers
  • Application information disclosure - Application error messages no longer include the path to the file where the error occurred.

Affected versions: Magento CE and EE prior to 2.0.6

Recommended action: Refer to security best practices for additional information how to secure your site

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *