Description: Magento Enterprise Edition and Community Edition 2.0.6 are now available.
- Unauthenticated remote code execution via API - Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
- Unauthenticated reinstallation leading to remote code execution - The Magento installation code is no longer accessible once the installation process has completed
- Customer account takeover - Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls.
- Reflected cross-site scripting in Authorize.net module - Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks
- Data privacy issues in APIs - Anonymous users can no longer retrieve the private data of registered customers
- Application information disclosure - Application error messages no longer include the path to the file where the error occurred.
Affected versions: Magento CE and EE prior to 2.0.6
Recommended action: Refer to security best practices for additional information how to secure your site