the blog

Latest news.

Top 10 security enhancements with magento’s latest version – 2.1.2

December 3, 2016

Out of the ten major security enhancements the best one which I like the most is the buyers not being able to change the price from the storefront to a reduced price and completing a transaction!

Here is a detailed list as reported by the magento guys:

1) An issue has been fixed with Magento Enterprise Edition invitations feature to add malicious JavaScript and subsequently execute it in the Admin context.

2) A fake buyer can no longer change or fake a product price from your Magento storefront and then checkout an order with that reduced price!

3) Another issue with arbitrary PHP code execution during checkout was fixed

4) A major issue with backend media files has been fixed which had earlier on enabled the hackers to retrieve potentially sensitive information.

5) Another issue has been fixed in cron settings now they run as per the settings defined.

6) Bad news for hackers as Sessions will now expire as expected after logout.

7) guest order view feature has been removed to disallow hackers in harvesting order information.

8) Braintree Vault guys are happy as Kount and 3D Secure now working finally as expected!

9) Best one is you can no longer delete a currently logged-in user, sounds silly BUT makes sense!

10) Finally a user with lesser privileges can not force an Admin user to add his private or public key using a JSON call.

Author:

Mainstream issues