Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2 contain multiple security enhancements to address a Zend Framework vulnerability, prevent unauthorized users from backing up Magento files, and ensure sessions are invalidated after a user logs out. More information about these issues is provided below.

• APPSEC-1484 – Remote Code Execution in checkout
  • Severity = 9.8 (Critical)
• APPSEC-1480 – SQL injection in Zend Framework
  • Severity = 9.1 (Critical)
    
• APPSEC-1503 – Stored Cross-Site Scripting in email templates
  • Severity = 8.7 (High)
• APPSEC-1488 – Stored XSS in invitations
  • Severity = 8.2 (High)
• APPSEC-1533 – Order item with altered price
  • Severity = 7.5 (High)
• APPSEC-1270 – Guest order view protection code vulnerable to brute-force attack
  • Severity = 7.5 (High)
• APPSEC-1539 – Cross-Site Scripting in section loading
  • Severity = 7.5 (High)
• APPSEC-1433 – Unauthorized removal of customer address
  • Severity = 6.5 (Medium)
• APPSEC-1338 – Full Page Cache poisoning
  • Severity = 6.5 (Medium)
• APPSEC-1329 – Information disclosure in maintenance mode
  • Severity = 5.3 (Medium)
• APPSEC-1490 – Local file inclusion
  • Severity = 4.9 (Medium)
• APPSEC-1543 – Removal of currently logged-in administrator
  • Severity = 4.9 (Medium)
• APPSEC-1212 – CSRF delete items from mini cart
  • Severity = 4.3 (Medium)
• APPSEC-1478 – Session does not expire on logout
  • Severity = 4.2 (Medium)
• APPSEC-1481 – Admin users can create backups regardless of privileges
  • Severity = 4.1 (Medium)

 

You are advised to deploy these new releases right away. Updates should be installed and tested in a development environment before being put into production. Always take a full backup before attempting to upgrade your store.