SUPEE-5344 addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store.
You can find more details on the vulnerability addressed by this patch below:
Remote code execution – APPSEC-921
|Type:||Remote Code Execution|
|CVSSv3 Severity:||9.1 (Critical)|
|Description:||Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.|
|Product(s) Affected:||Magento CE prior to 18.104.22.168, and Magento EE prior to 22.214.171.124.|
|Fixed In:||CE 126.96.36.199|