A popular version of the Magento ecommerce platform is vulnerable to a zero-day remote code execution bug. The vulnerability is tied to a default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions. Magento confirmed the existence of the flaw in a brief statement to Threatpost and said it was investigating the issue. A likely scenario exploiting this vulnerability includes an attacker targeting a Magento admin panel user (no matter how low their privileges are). The attacker could entice the administrator to visit a URL that triggers a cross-site request forgery attack.
Source: https://threatpost.com/high-risk-zero-day-leaves-200000-magento-merchants-vulnerable/124965/