CVE-2023-41336 Information

Description

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Reference

https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c