GHSA-HHCQ-PH6W-494G Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
Impact The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. The processing of the Criteria did not considered...