Web security company Securi discovered and reported the bug last November, and a patch was released by Magento at the end of last week.
The problem, roughly speaking, was that the order template allowed attackers to embed commands in what was supposed to be the customer's email address, and these commands were executed when an admin user examined the order in the administration panel.
While Securi only revealed a harmless demonstration of the way this works, the company says it "could be used by attackers to take over your site, create new administrator accounts, steal client informations, anything a legitimate administrator account is allowed to do."
The company warned that this issue affects almost every installation of Magento CE 22.214.171.124 or earlier, and Magento EE 126.96.36.199.
The vulnerability is now public knowledge, so if you use Magneto it is important that you install patch bundle SUPEE-7405, or make sure that whoever looks after the technical side of your Magento-based store has done that for you.