Magento Security Patch – SUPEE 5344 – SHOPLIFT BUG PATCH
SUPEE 5344 patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store. Shoplift is a bug in Magento that allows a hacker to take full control of a shop, including stealing customer records and tampering with payments.
FOLLOWING ARE THE DETAILS ON THE VULNERABILITIES ADDRESSED BY THIS PATCH –
Remote code execution – APPSEC-921
- Type: Remote Code Execution
- CVSSv3 Severity: 9.1 (Critical)
- Known Attacks: Yes
- Description: Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.
- Product(s) Affected: Magento CE prior to 184.108.40.206, and Magento EE prior to 220.127.116.11.
- Fixed In: CE 18.104.22.168
- Reporter: Netanel Rubin
To determine if your store has been patched, see the SHOPLIFT BUG TEST.
Want to get in touch with us?
- What is AMP and How to Make Your Website AMP Ready?
- Magento Commerce 2.3.3 and Security-Only Patch 2.3.2-p1 - Begin Your Upgrades Now!
- Magento Commerce 2.2.X Is Nearing the End of Support, It Is Time to Upgrade!
- Is Your Magento Store Safe from Magento Killer?
- Are you running a Magento 2.x Store? Are your security Patches up to date?