Veracode Vulnerability DatabaseVERACODE:43267Improper Input Validation
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.0%
ux-autocomplete is vulnerable to Improper Input Validation. The vulnerability is due to a missing validation check while submitting an entry id for an EntityType when selecting an entry in the Autocomplete UI component. This causes an entity id for an EntityType that is not part of the valid choices to be selected and even when the matching record for that entry id is not returned by the custom query built with query_builder. The affected applications are only those which either use a custom query_builder option to limit the valid results and EntityType with autocomplete => true or a custom AsEntityAutocompleteField.
| CPE | Name | Operator | Version |
|---|---|---|---|
| symfony/ux-autocomplete | le | v2.11.1 | |
| symfony/ux-autocomplete | le | v2.11.1 |
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml
github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c
github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x
symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.0%