CVE-2023-41336

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41336

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41336.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-41336

Aliases

GHSA-4cpv-669c-r79x

Published

2023-09-11T19:21:48Z

Modified

2025-10-30T20:22:34.002054Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete

Details

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/symfony/ux-autocomplete

Affected ranges

Type: GIT
Repo: https://github.com/symfony/ux-autocomplete
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fabcb2eee14b9e84a45b276711853a560b5d770c

Affected versions

v2.*

v2.10.0

v2.11.0

v2.11.1

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.7.1

v2.8.0

v2.8.1

v2.9.0

v2.9.1