CVE-2023-41336
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| symfony | ux-autocomplete | < 2.11.2 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
- https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
- https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
- https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
- https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.