logo

Database

Lack of data validation In symfony/ux-autocomplete

Description

Prevent injection of invalid entity ids for "autocomplete" fields

Impact

Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices.

Affected applications are any that use:

    A custom query_builder option to limit the valid results; AND

    An EntityType with 'autocomplete' => true or a custom AsEntityAutocompleteField.

Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query_builder.

Patches

The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Workarounds

Upgrade to version 2.11.2 or greater of symfony/ux-autocomplete or perform extra validation after submit to verify the selected option is valid.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-413362. NVD-2023-413363. OSV-2023-413364. GHSA-4cpv-669c-r79x5. GCVE-2023-41336

References

1. https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x2. https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c3. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml4. https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.