Lucene search

K

[email protected]NVD:CVE-2023-41336

HistorySep 11, 2023 - 8:15 p.m.

CVE-2023-41336

2023-09-1120:15:10

CWE-20

[email protected]

web.nvd.nist.gov

5

cve-2023-41336

javascript

autocomplete

symfony

vulnerability

fixed

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

25.4%

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.

Affected configurations

Nvd

Node

symfonyux_autocompleteRange<2.11.2

References

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yaml

github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770c

github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79x

symfony.com/bundles/ux-autocomplete/current/index.html#usage-in-a-form-with-ajax

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

25.4%

Related for NVD:CVE-2023-41336

osv2 github1 cvelist1 veracode1 prion1 cve1 symfony1 friendsofphp1