CVE-2023-41336
Summary
| CVE | CVE-2023-41336 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-11 20:15:00 UTC |
| Updated | 2023-09-15 17:32:00 UTC |
| Description | ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Symfony | Ux Autocomplete | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Prevent injection of invalid entity ids for "autocomplete" fields · Advisory · symfony/ux-autocomplete · GitHub | MISC | github.com | |
| Fixing autocomplete security bug by using the query_builder · symfony/ux-autocomplete@fabcb2e · GitHub | MISC | github.com | |
| Symfony UX Autocomplete Documentation | MISC | symfony.com | |
| github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autoc... | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.