CVE-2023-41336

Name of the Vulnerable Software and Affected Versions symfony/ux-autocomplete versions prior to 2.11.2

Description The issue allows an attacker to submit an entity id for an EntityType that is not part of the valid choices under certain circumstances. This can occur in applications that use a custom query builder option to limit valid results and an EntityType with 'autocomplete' => true or a custom AsEntityAutocompleteField. If an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with query builder.

Recommendations For versions prior to 2.11.2, upgrade to version 2.11.2 or greater of symfony/ux-autocomplete to fix the issue. Alternatively, perform extra validation after submit to verify the selected option is valid.