Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS00Y3B2LTY2OWMtcjc5eM4AA1yz

Prevent injection of invalid entity ids for "autocomplete" fields

Impact

Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices.

Affected applications are any that use:

• A custom query_builder option to limit the valid results;
  AND
• An EntityType with 'autocomplete' => true or a custom AsEntityAutocompleteField.

Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query_builder.

Patches

The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Workarounds

Upgrade to version 2.11.2 or greater of symfony/ux-autocomplete or perform extra validation after submit to verify the selected option is valid.

Permalink: https://github.com/advisories/GHSA-4cpv-669c-r79x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Y3B2LTY2OWMtcjc5eM4AA1yz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-4cpv-669c-r79x, CVE-2023-41336
References:

• https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
• https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
• https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
• https://nvd.nist.gov/vuln/detail/CVE-2023-41336
• https://github.com/advisories/GHSA-4cpv-669c-r79x

Repository: https://github.com/symfony/ux-autocomplete
Blast Radius: 10.2

Affected Packages