This is actually a Flex bug. Magento eCommerence <= 1.9.0 is compiled with a vulnerable Adobe Flex SDK. (CVE-2011-2461) which can lead to Same-Origin Request Forgery and Cross-Site Content Hijacking. Although adobe patched this bug, it is possible to exploit it in fully patched browsers with the latest version of Adobe Flash Player; CVE-2011-2461 is best explained by Mindedsecurity at http://blog.mindedsecurity.com/2015/03/the-old-is-new-again-cve-2011-2461-is.html This also leads to a Flash XSS in some older browsers. an attacker will create a malicious HTML page and embed the vulneable flash. When successfully exploited a Same Origin Request Forgery attack allows a malicious web site to perform arbitrary requests to the vulnerable site, and read its response without restrictions. You can test vulnerable flash files with https://github.com/ikkisoft/ParrotNG/ Vulnerable files: http://[magento_url]/skin/adminhtml/default/default/media/editor.swf http://[magento_url]/skin/adminhtml/default/default/media/Uploader.swf http://[magento_url]/skin/adminhtml/default/default/media/UploaderSingle.swf