A large number (seventeen in total !) of security vulnerabilities have recently been announced by Magento, many of which are rated as critical and high and should therefore be patched as soon as possible using patch SUPEE-8788. Using the following release versions, Community Edition 1.9.3 or Enterprise Edition 1.14.3, are alternate ways to fix these issues.
Full details of all vulnerabilities can be see here, but those rated critical or high are listed below
Rated at 9.8 (Critical) – With some payment methods it might be possible to execute malicious PHP code during checkout.
Rated at 9.1 (Critical) – A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.
Rated at 7.7 (High) – With access to any CMS functionality, an attacker with administrator permissions can use blocks to exfiltrate information stored in cache. This sensitive information includes store configuration, encryption key, and database connection details. Additionally, it might be possible to execute code.
Rated at 7.5 (High) – In certain configurations, it is possible to log in as existing store customer while knowing only his email address, not his password.