CVE-2021-32716: 
PHP vulnerability analysis and mitigation

CVE-2021-32716 affects Shopware, an open source eCommerce platform, in versions prior to 6.4.1.1. The vulnerability exposes internal hidden fields in the admin API when an association has been loaded with a to-many reference. The issue was discovered and disclosed on June 24, 2021 (Vendor Advisory, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue is related to incorrect authorization (CWE-863) and exposure of sensitive information to unauthorized actors (CWE-200). The vulnerability specifically occurs when loading associations with to-many references in the admin API, which inadvertently exposes internal hidden fields that should not be accessible (NVD).

The vulnerability allows exposure of internal hidden fields through the admin API when accessing associations with to-many references. This could potentially lead to unauthorized access to sensitive information that should be restricted (GitHub Advisory).

Users are recommended to update to version 6.4.1.1, which can be obtained through the Auto-Updater or directly from the download overview. For older versions (6.1, 6.2, and 6.3), security measures are available via a plugin. The update can be accessed through the official Shopware download page (Vendor Advisory).