Magento patched 37 flaws Thursday, including a stored cross-site scripting (XSS) vulnerability that could have let an attacker take over a site. Remote code-execution (RCE) vulnerability could allow an authenticated user, with limited permissions, to create specially crafted newsletters and email templates that can be used to execute arbitrary code on targeted systems. The vulnerability has a CVSS score of 9.8 and impacts Magento versions 2.1 prior to 2.17, 2.2.
Source: https://threatpost.com/magento-xss-csrf-rce-vulnerabilities/143274/