Advisories for Composer/Symfony/Ux-Autocomplete package

The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals (<div>${item[labelField]}</div>) inside _createAutocompleteWithRemoteData(). The value is parsed as HTML rather than text, so any markup contained in the AJAX response is executed by the browser. When the dropdown values are derived from user-supplied content, an attacker can craft a string that triggers stored XSS in the browser …

Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %…% without escaping the SQL LIKE wildcards (%, _, ). The value is passed as a bound parameter, so this is not SQL injection, but a client can send % to match every row or use _ as a single-character wildcard. Because searchable_fields defaults to every property of the entity and the autocomplete endpoint …

Impact Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. Affected applications are any that use: A custom query_builder option to limit the valid results; AND An EntityType with 'autocomplete' => true or a custom AsEntityAutocompleteField. Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by …