Critical Security Updates – Magento 2.0.10 AND 2.1.2

Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2 contain multiple security enhancements to address a Zend Framework vulnerability, prevent unauthorized users from backing up Magento files, and ensure sessions are invalidated after a user logs out.

More information about these issues is provided below.

  • APPSEC-1484 – Remote Code Execution in checkout
    • Severity = 9.8 (Critical)
  • APPSEC-1480 – SQL injection in Zend Framework
    • Severity = 9.1 (Critical)
  • APPSEC-1503 – Stored Cross-Site Scripting in email templates
    • Severity = 8.7 (High)
  • APPSEC-1488 – Stored XSS in invitations
    • Severity = 8.2 (High)
  • APPSEC-1533 – Order item with altered price
    • Severity = 7.5 (High)
  • APPSEC-1270 – Guest order view protection code vulnerable to brute-force attack
    • Severity = 7.5 (High)
  • APPSEC-1539 – Cross-Site Scripting in section loading
    • Severity = 7.5 (High)
  • APPSEC-1433 – Unauthorized removal of customer address
    • Severity = 6.5 (Medium)
  • APPSEC-1338 – Full Page Cache poisoning
    • Severity = 6.5 (Medium)
  • APPSEC-1329 – Information disclosure in maintenance mode
    • Severity = 5.3 (Medium)
  • APPSEC-1490 – Local file inclusion
    • Severity = 4.9 (Medium)
  • APPSEC-1543 – Removal of currently logged-in administrator
    • Severity = 4.9 (Medium)
  • APPSEC-1212 – CSRF delete items from mini cart
    • Severity = 4.3 (Medium)
  • APPSEC-1478 – Session does not expire on logout
    • Severity = 4.2 (Medium)
  • APPSEC-1481 – Admin users can create backups regardless of privileges
    • Severity = 4.1 (Medium)

You are advised to deploy these new releases right away. Updates should be installed and tested in a development environment before being put into production. Always take a full backup before attempting to upgrade your store.

Magento hosting

Enquire now and join 1000+ businesses who have blitzscaled their websites by choosing ServerGuy as their hosting partner.

Latest Magento Tips, Guides, & News

Stay updated with new stuff in the Magento ecosystem including exclusive deals, how-to articles, new modules, and more. 100% Magento Goodness, a promise!

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide

+1.714.2425683

India

+91.9852704704

Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.