Important Security Updates in Magento 2.0.4 Release

Yesterday, Magento 2.0.4 was released, bringing important functional and security updates to the latest commerce platform.

Important: Magento 2.0.4 replaces Magento 2.0.3, which was released the day before, to address a packaging issue. If you have already installed the original release, you must replace it with the new version to ensure that your site receives all security enhancements.

The new release is available for both Magento Enterprise Edition and Community Edition, and contains several security improvements, including:

  • Prevents anonymous access to web APIs by default so that private information about the store, such as pricing, stock details, and upcoming promotions, are not disclosed without authentication. Merchants can still configure their APIs to support anonymous access if it is required by certain extensions. More information is available
  • Sets limits on the number of Admin and Customer Token Access API password attempts allowed to help prevent brute force attempts to guess passwords.
  • Fully resolves a previous issue with cross-site scripting so that attackers cannot enter an email address with malicious JavaScript code during customer registration on the storefront.
  • Fixes multiple parameters in the payment module that were vulnerable to reflected cross-site scripting attacks.

For the full list of enhancements and upgrade instructions, see the official release notes for the Community Edition and Enterprise Edition.

ProperHost currently offers a free 30-day trial on all our Magento 2.0 compatible hosting plans, so make sure to try out the next generation e-commerce platform today!