Janklan

**Name of the Vulnerable Software and Affected Versions** symfony/ux-autocomplete versions prior to 2.11.2 **Description** The issue allows an attacker to submit an entity id for an `EntityType` that is not part of the valid choices under certain circumstances. This can occur in applications that use a custom `query builder` option to limit valid results and an `EntityType` with `'autocomplete' => true` or a custom `AsEntityAutocompleteField`. If an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with `query builder`. **Recommendations** For versions prior to 2.11.2, upgrade to version 2.11.2 or greater of `symfony/ux-autocomplete` to fix the issue. Alternatively, perform extra validation after submit to verify the selected option is valid.