GoogleOSV:GHSA-4CPV-669C-R79XPrevent injection of invalid entity ids for "autocomplete" fields
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.0%
Impact
Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices.
Affected applications are any that use:
- A custom
query_builderoption to limit the valid results;
AND - An
EntityTypewith'autocomplete' => trueor a custom AsEntityAutocompleteField.
Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query_builder.
Patches
The problem has been fixed in symfony/ux-autocomplete version 2.11.2.
Workarounds
Upgrade to version 2.11.2 or greater of symfony/ux-autocomplete or perform extra validation after submit to verify the selected option is valid.
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
github.com/symfony/ux-autocomplete
github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
nvd.nist.gov/vuln/detail/CVE-2023-41336
symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.0%