Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-4cpv-669c-r79x

GitHub Security Advisory

Prevent injection of invalid entity ids for "autocomplete" fields

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices.

Affected applications are any that use:

* A custom `query_builder` option to limit the valid results;
AND
* An `EntityType` with `'autocomplete' => true` or a custom [AsEntityAutocompleteField](https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax).

Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with `query_builder`.

### Patches

The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

### Workarounds
Upgrade to version 2.11.2 or greater of `symfony/ux-autocomplete` or perform extra validation after submit to verify the selected option is valid.

Affected Packages

Packagist symfony/ux-autocomplete
Affected versions: 0 (fixed in 2.11.2)

Related CVEs

CVE-2023-41336

Key Information

GHSA ID
GHSA-4cpv-669c-r79x
Published
September 11, 2023 2:43 PM
Last Modified
September 11, 2023 2:43 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
symfony/ux-autocomplete
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.