Prevent injection of invalid entity ids for "autocomplete" fields
Moderate severity
GitHub Reviewed
Published
Sep 11, 2023
in
symfony/ux-autocomplete
•
Updated Nov 10, 2023
Description
Published to the GitHub Advisory Database
Sep 11, 2023
Reviewed
Sep 11, 2023
Published by the National Vulnerability Database
Sep 11, 2023
Last updated
Nov 10, 2023
Impact
Under certain circumstances, an attacker could successfully submit an entity id for an
EntityType
that is not part of the valid choices.Affected applications are any that use:
query_builder
option to limit the valid results;AND
EntityType
with'autocomplete' => true
or a custom AsEntityAutocompleteField.Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with
query_builder
.Patches
The problem has been fixed in
symfony/ux-autocomplete
version 2.11.2.Workarounds
Upgrade to version 2.11.2 or greater of
symfony/ux-autocomplete
or perform extra validation after submit to verify the selected option is valid.References