Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete
CVE-2023-41336

6.5MEDIUM

Key Information:

Vendor
Symfony
Status
Ux-autocomplete
Vendor
CVE Published:
11 September 2023

Summary

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Affected Version(s)

ux-autocomplete < 2.11.2

References

https://github.com/symfony/ux-autocomplete/security/advis...
x_refsource_CONFIRM
https://github.com/symfony/ux-autocomplete/commit/fabcb2e...
x_refsource_MISC
https://github.com/FriendsOfPHP/security-advisories/blob/...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.