Under certain circumstances, an attacker could successfully submit an entity id for an
EntityType that is not part of the valid choices.
Affected applications are any that use:
- A custom
query_builder option to limit the valid results; AND
'autocomplete' => true or a custom AsEntityAutocompleteField.
Under this circumstance, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with
The problem has been fixed in
symfony/ux-autocomplete version 2.11.2.
Upgrade to version 2.11.2 or greater of
symfony/ux-autocomplete or perform extra validation after submit to verify the selected option is valid.