Magento 2.0.6 Security Update

Released on May 17th, 2016, Magento Enterprise Edition and Community Edition 2.0.6 are the latest security upgrades for both editions of Magento. With the goal of addressing several security vulnerabilities and making various functional improvements, this security upgrade can protect your Magento platform against the potential security breaches from the following threats:

  • Remote Code Execution (RCE). With a rating of 9.8 on the severity scale, remote code executions can put your system in critical danger. This security upgrade no longer allows an unknown user to administer code on your server via APIs. Formerly, an unknown user could administer code from a remote location on your server with the use of several API forms.
  • Information Disclosure/Leakage (Confidential or Restricted). Information leakage presents a high-level threat to your platform, carrying a rating of 7.5 on the severity scale. With the new upgrade, Magento does not allow users to make information alterations to other users using REST or SOAP commands. This update requires that the ID of a user of an edited account is identical to the authentication in use. Previously, a user with questionable intent could steal another users account and information by simply logging on as a user without an authentication token. Another issue was the ability for unknown users to access the sensitive data of registered users by modifying the cart of a known customer. This vulnerability was mended by removing the portion of code in the quote API, which allows only the affirmed users to give themselves a guest cart.
  • Cross Site Scripting. With a 7.4 rating on the severity scale, cross-site scripting presents a high risk to your Magento software. Issues with a range of parameters in the authorize.net increased the risks of Cross-Site Scripting (XSS) assaults.
  • Cross Site Request Forgery (CSRF). An instance of cross site request forgeries poses a medium risk to a Magento system and has a severity rating of 6.5. CSRF problems discovered in older Magento versions fooled a user into deleting the contents of his store address book. Additional issues found include problems with validating the key labeled “form” when removing products from a mini cart with the GET command. This presented the possibility for a customer to be fooled into removing items from his or her cart due to exposure to various link hiding methods and techniques. In addition, the insufficient protection from possible instances of CSRF presents admin users with the ability to build a backup system, increases the risk that a user will be tricked into clicking a link that establishes a system backup, and makes it possible for an admin with limited privileges to use this with questionable intentions.

The Magento 2.0.6 Security Update is an imperative security addition to your Magento platform. Forix strongly recommends that all Magento users download the latest update as soon as possible in order to receive the protection enhancements and operational advantages it has to offer a Magento market.

Note: Magento users who have not downloaded a previously released Magento 2.0 update should go forward by installing the newest available upgrades, which are the Magento Enterprise Edition or Community Edition 2.0.6.

Get Magento 2.0.6 Security Update installed today

The practiced Magento experts at Forix are experienced with Magento security upgrades like 2.0.6 and are well-equipped to handle any questions or concerns you may have about the installation process.