Description
ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
Patch x_refsource_misc
https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
Third Party Advisory x_refsource_misc
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
Product x_refsource_misc
https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
Scores
CVSS v3
6.5
EPSS
0.0052
EPSS Percentile
40.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (2)
symfony/ux-autocomplete
0 - 2.11.2Packagist
symfony/ux_autocomplete
< 2.11.2
Published
Sep 11, 2023
Tracked Since
Feb 18, 2026