During an audit of their WAF, Sucuri discovered a dangerous, but also easy to exploit, Stored XSS Vulnerability in all versions of Magento. The issue could allow attackers to take over your site, create new administrator accounts, steal client information – in fact anything a legitimate administrator account is allowed to do !
Sucuri responsibly disclosed this to the Magento team but worryingly it took them nearly two and a half months to release a patch for it ! That patch (Magento CE: 1.9,2.3, Magento EE: 22.214.171.124) was released on Friday 22nd January and every single Magento user is strongly encouraged to upgrade as soon as possible.
For full technical details of the vulnerability – see the original Sucuri Disclosure and kudos to them yet again for their great work.