CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47946 – symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes
https://notcve.org/view.php?id=CVE-2025-47946
19 May 2025 — Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` Those who... • https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41336 – Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete
https://notcve.org/view.php?id=CVE-2023-41336
11 Sep 2023 — ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2. ux-autocomplete es una funcionalidad de Autocompletar de JavaScript para Symfony. En determinadas circunstancias, un atacante podría enviar con éxito una identificación de entidad para un "EntityType" que *no* forma parte de la... • https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml • CWE-20: Improper Input Validation •