GHSA-4cpv-669c-r79x: Prevent injection of invalid entity ids for "autocomplete" fields

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-41336

Prevent injection of invalid entity ids for “autocomplete” fields

Moderate severity GitHub Reviewed Published Sep 11, 2023 in symfony/ux-autocomplete • Updated Sep 11, 2023

Package

composer symfony/ux-autocomplete (Composer)

Affected versions

< 2.11.2

Description

Impact

Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices.

Affected applications are any that use:

• A custom query_builder option to limit the valid results;
  AND
• An EntityType with ‘autocomplete’ => true or a custom AsEntityAutocompleteField.

Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query_builder.

Patches

The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Workarounds

Upgrade to version 2.11.2 or greater of symfony/ux-autocomplete or perform extra validation after submit to verify the selected option is valid.

References

• GHSA-4cpv-669c-r79x
• symfony/ux-autocomplete@fabcb2e
• https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax

Published to the GitHub Advisory Database

Sep 11, 2023

Last updated

Sep 11, 2023