{"id":"GHSA-gpmh-g94g-qrhr","summary":"Internal hidden fields are visible on to many associations in admin api","details":"### Impact\nThe admin api has exposed some internal hidden fields when an association has been loaded with a to many reference\n\n### Patches\nWe recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n","modified":"2026-03-13T22:14:31.679944Z","published":"2021-06-28T18:20:53Z","related":["CVE-2021-32716"],"database_specific":{"cwe_ids":[],"github_reviewed":true,"nvd_published_at":null,"severity":"MODERATE","github_reviewed_at":"2021-06-24T19:20:56Z"},"references":[{"type":"WEB","url":"https://github.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr"}],"affected":[{"package":{"name":"shopware/platform","ecosystem":"Packagist","purl":"pkg:composer/shopware/platform"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.1.1"}]}],"versions":["6.3.0.0","6.3.0.1","6.3.0.2","6.3.1.0","6.3.1.1","6.3.2.0","6.3.2.1","6.3.3.0","6.3.3.1","6.3.4.0","6.3.4.1","6.3.5.0","6.3.5.1","6.3.5.2","6.3.5.3","6.3.5.4","6.4.0.0","6.4.0.0-RC1","6.4.1.0","v6.0.0+dp1","v6.1.0","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.1.0-rc4","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.1.6","v6.2.0","v6.2.0-RC1","v6.2.1","v6.2.2","v6.2.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-gpmh-g94g-qrhr/GHSA-gpmh-g94g-qrhr.json","last_known_affected_version_range":"\u003c= 6.4.1.0"}},{"package":{"name":"shopware/core","ecosystem":"Packagist","purl":"pkg:composer/shopware/core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.1.1"}]}],"versions":["6.3.0.0","6.3.0.1","6.3.0.2","6.3.1.0","6.3.1.1","6.3.2.0","6.3.2.1","6.3.3.0","6.3.3.1","6.3.4.0","6.3.4.1","6.3.5.0","6.3.5.1","6.3.5.2","6.3.5.3","6.3.5.4","6.4.0.0","6.4.0.0-RC1","6.4.1.0","v6.0.0+ea2","v6.1.0","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.1.0-rc4","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.1.6","v6.2.0","v6.2.0-RC1","v6.2.1","v6.2.2","v6.2.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-gpmh-g94g-qrhr/GHSA-gpmh-g94g-qrhr.json","last_known_affected_version_range":"\u003c= 6.4.1.0"}}],"schema_version":"1.7.5"}