CVE-2023-41336

Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

ux-autocomplete es una funcionalidad de Autocompletar de JavaScript para Symfony. En determinadas circunstancias, un atacante podría enviar con éxito una identificación de entidad para un "EntityType" que *no* forma parte de las opciones válidas. El problema se ha solucionado en `symfony/ux-autocomplete` versión 2.11.2.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-28 CVE Reserved
2023-09-11 CVE Published
2024-09-26 CVE Updated
2024-10-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (4)

URL	Tag	Source
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml	Third Party Advisory
https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c	2023-09-15

URL	Date	SRC
https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x	2023-09-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Symfony Search vendor "Symfony"		Ux Autocomplete Search vendor "Symfony" for product "Ux Autocomplete"				< 2.11.2 Search vendor "Symfony" for product "Ux Autocomplete" and version " < 2.11.2"		-		Affected