Search for packages
| purl | pkg:composer/symfony/ux-autocomplete@2.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-e87n-sdj5-b3b7
Aliases: CVE-2023-41336 GHSA-4cpv-669c-r79x |
Prevent injection of invalid entity ids for "autocomplete" fields ### Impact Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. Affected applications are any that use: * A custom `query_builder` option to limit the valid results; AND * An `EntityType` with `'autocomplete' => true` or a custom [AsEntityAutocompleteField](https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax). Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with `query_builder`. ### Patches The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2. ### Workarounds Upgrade to version 2.11.2 or greater of `symfony/ux-autocomplete` or perform extra validation after submit to verify the selected option is valid. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-30T06:19:35.753227+00:00 | GitLab Importer | Affected by | VCID-e87n-sdj5-b3b7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/ux-autocomplete/CVE-2023-41336.yml | 38.6.0 |