CVE-2023-41336

Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete

Description

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.80% Top 30%
Vendor Advisory github.com
Affected: symfony ux-autocomplete
Published at:
Updated at:

References

Link Tags
https://github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x vendor advisory
https://github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c patch
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml third party advisory
https://symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax product

Frequently Asked Questions

What is the severity of CVE-2023-41336?
CVE-2023-41336 has been scored as a medium severity vulnerability.
How to fix CVE-2023-41336?
To fix CVE-2023-41336, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-41336 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-41336 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-41336?
CVE-2023-41336 affects symfony ux-autocomplete.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.