This is actually a Flex bug. Magento eCommerence <= 1.9.0 is compiled
with a vulnerable Adobe Flex SDK. (CVE-2011-2461) which can lead to
Same-Origin Request Forgery
and Cross-Site Content Hijacking.

Although adobe patched this bug, it is possible to exploit it in fully
patched browsers with
the latest version of Adobe Flash Player;

CVE-2011-2461 is best explained by Mindedsecurity at
http://blog.mindedsecurity.com/2015/03/the-old-is-new-again-cve-2011-2461-is.html

This also leads to a Flash XSS in some older browsers.

an attacker will create a malicious HTML page and embed the vulneable flash.

When successfully exploited a Same Origin Request Forgery attack
allows a malicious web site to perform arbitrary requests to the
vulnerable site, and read its response without restrictions.

You can test vulnerable flash files with https://github.com/ikkisoft/ParrotNG/

Vulnerable files:

http://[magento_url]/skin/adminhtml/default/default/media/editor.swf

http://[magento_url]/skin/adminhtml/default/default/media/Uploader.swf

http://[magento_url]/skin/adminhtml/default/default/media/UploaderSingle.swf