CVE-2023-41336

2023-09-1120:15:10

CWE-20

[email protected]

web.nvd.nist.gov

javascript

autocomplete

symfony

cve-2023-41336

security

vulnerability

patch

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

19.8%

JSON

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Affected configurations

Vulners

NVD

Node

symfonyux_autocompleteRange<2.11.2

VendorProductVersionCPE
symfonyux_autocomplete*cpe:2.3:a:symfony:ux_autocomplete:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
symfony	ux_autocomplete	*	cpe:2.3:a:symfony:ux_autocomplete::::::::

CNA Affected

[
  {
    "vendor": "symfony",
    "product": "ux-autocomplete",
    "versions": [
      {
        "version": "< 2.11.2",
        "status": "affected"
      }
    ]
  }
]