Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00Y3B2LTY2OWMtcjc5eM4AA1yz
Prevent injection of invalid entity ids for "autocomplete" fields
Impact
Under certain circumstances, an attacker could successfully submit an entity id for an EntityType
that is not part of the valid choices.
Affected applications are any that use:
- A custom
query_builder
option to limit the valid results;
AND - An
EntityType
with'autocomplete' => true
or a custom AsEntityAutocompleteField.
Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query_builder
.
Patches
The problem has been fixed in symfony/ux-autocomplete
version 2.11.2.
Workarounds
Upgrade to version 2.11.2 or greater of symfony/ux-autocomplete
or perform extra validation after submit to verify the selected option is valid.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Y3B2LTY2OWMtcjc5eM4AA1yz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 8 months ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-4cpv-669c-r79x, CVE-2023-41336
References:
- https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
- https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
- https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
- https://nvd.nist.gov/vuln/detail/CVE-2023-41336
- https://github.com/advisories/GHSA-4cpv-669c-r79x
Blast Radius: 10.2
Affected Packages
packagist:symfony/ux-autocomplete
Dependent packages: 7Dependent repositories: 37
Downloads: 888,348 total
Affected Version Ranges: < 2.11.2
Fixed in: 2.11.2
All affected versions: 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1
All unaffected versions: 2.11.2, 2.12.0, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.14.0, 2.14.2, 2.15.0, 2.16.0, 2.17.0