6.5
CVE-2023-41336
- EPSS 1.07%
- Veröffentlicht 11.09.2023 20:15:10
- Zuletzt bearbeitet 21.11.2024 08:21:06
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPrevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete
ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Symfony ≫ Ux Autocomplete Version < 2.11.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.07% | 0.778 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
| security-advisories@github.com | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.