Internal hidden fields are visible on to many associations in admin api
CVE-2021-32716

4.4MEDIUM

Key Information:

Vendor

Shopware

Status
Platform
Vendor
CVE Published:
24 June 2021

What is CVE-2021-32716?

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Affected Version(s)

platform < 6.4.1.1

References

https://github.com/shopware/platform/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/platform/commit/b5c3ce3e93bd1...
x_refsource_MISC
https://docs.shopware.com/en/shopware-6-en/security-updat...
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.