Magento Security Update 2.0.10 and 2.1.2

Released by Magento on October 11, 2016, the Magento 2.0.10 and 2.1.2 Security Update is the latest enhancement for the Enterprise and Community editions of Magento. This update features several improvements to ensure that your Magento platform is protected from the following threats:

  • Remote Code Execution (RCE). With a severity rating of 9.8, the threat of remote code execution is extremely dangerous to your Magento system. An issue discovered in previous Magento versions allowed users to administer harmful PHP code while going through the checkout process.
  • Local file inclusion. With a security rating of 4.9, threats of local file inclusions pose a medium to low level threat against a Magento platform. Potential problems discovered in earlier Magento versions offer a user with limited privileges the ability to place system files in a media folder that is available to the public. The data in question can then be obtained by any user at any point.
  • SQL Injection/Improper validation. With a security rating of 9.1, instances of SQL injection and improper validation present a supremely high risk to a Magento platform. A critical problem found in earlier Magento versions allowed the functioning of a bug in the Zend Framework value, which granted a user the capacity to administer SQL via various parameters. Upon inspection, Magento did not find any front-end pathways or access points that could result in a complete SQL injection. However, they did discover an access point in the admin panel and believe that other access areas exist throughout the software.
  • Cross-Site Scripting (XSS). With a rating of 8.7 on the severity scale, any instances of cross site scripting can increase the chances of an attacker inserting chunks of hazardous code and victimizing all users of a Magento platform. Problematic XSS circumstances noticed in previous Magento editions allowed potentially harmful code to put in email templates and drafts for storage, to be administered whenever these drafts and templates are viewed. Another XSS issue found in previous Magento versions was the ability to use the Magento Enterprise Edition invite function to place harmful JavaScript in the position to be executed by an admin without his or her knowledge.
  • Breach of personal information disclosure. With a 7.5 severity rating, a personal information disclosure presents a high risk, threatening the privacy of all guests and users of a Magento platform. Issues seen in earlier Magento versions did not ensure protection from users who attempt to view the order information of guests. Even though a user cannot pick what orders he or she wants to access, there is still a potential to extract a portion of guest order information. Other issues associated with information leaking detected include the exposure of interior files and data when a system is in the maintenance setting.
  • Insufficient session expiration. Presenting a severity level of 4.5, an instance of insufficient session expiration can produce a low to medium risk. If sessions do not end when a logout has been completed, it creates the potential for hackers to steal a session’s cookie and obtain access to a user’s account. This typically happens when multiple users share electronic devices and access the site.

Overall, it is clear that the Magento 2.0.10 and 2.1.2 Security Update can deter the risk of hackers infiltrating your Magento software and causing severe damage to your business. Knowing this, Forix recommends that all Magento merchants install the latest security update in order to reap the various benefits and enhanced protection Magento 2.0.10 and 2.1.2 Security Update offers.

Get Magento 2.0.10 and 2.1.2 Security Update installed today.

Forix professionals have a vast amount of experience and expertise when it comes to Magento platforms and installing Magento security patches like the Magento 2.0.10 and 2.1.2 Security Updates and are happy to help ensure your Magento upgrade is installed correctly.