Magento < 2.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File


CVE-2016-4010: Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.

Impact:  Magento e-commerce platform is vulnerable to an unauthenticated arbitrary file write vulnerability. Attackers can exploit this issue to gain administrative access to the application.

Mitigation: Vendor has released patch version.

Reference URL’s: