Magento 1.9.3.3 was released on May 31 and is a security update for multiple critical security issues. The issues are also fixed in Magento 2.0 and 2.1, although upgrading from 1.9 to 2.1 is not directly possible.
The patch SUPEE-9767 addresses several security issues, like:
- APPSEC-1777: Remote Code Execution in DataFlow
- APPSEC-1686: Remote Code Execution in the Admin panel
- APPSEC-1634: XSS in data fields
These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. More details can be found in the Magento Security Center.
Magento 1.9.3.3 contains also an update for PayPal’s Instant Payment Notifications, which is necessary for retaining uninterrupted service after June 30.
It was reported that the update caused jQuery compatibility issues, that’s why it is very important to backup before upgrading or even better to first upgrade in a local test environment.
https://twitter.com/peterbaettig/status/870203863038652416
