CVE-2023-41336: 
PHP vulnerability analysis and mitigation

CVE-2023-41336 affects symfony/ux-autocomplete, a JavaScript Autocomplete functionality for Symfony. The vulnerability was discovered and disclosed on September 11, 2023, affecting versions prior to 2.11.2. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices (GitHub Advisory).

The vulnerability occurs in applications that use a custom querybuilder option to limit valid results and an EntityType with 'autocomplete' => true or a custom AsEntityAutocompleteField. In this scenario, if an id is submitted, it is accepted even if the matching record would not be returned by the custom query built with querybuilder. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to bypass intended restrictions on entity selection. When exploited, an attacker could submit and have the system accept entity IDs that should be invalid according to the configured query builder restrictions (GitHub Advisory).

The vulnerability has been fixed in symfony/ux-autocomplete version 2.11.2. Users should upgrade to this version or later. If immediate upgrade is not possible, users can implement extra validation after submit to verify the selected option is valid (GitHub Advisory).