GHSA-9h9q-qhxg-89xr

Suggest an improvement
Source
https://github.com/advisories/GHSA-9h9q-qhxg-89xr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9h9q-qhxg-89xr/GHSA-9h9q-qhxg-89xr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9h9q-qhxg-89xr
Aliases
Published
2024-09-27T20:51:01Z
Modified
2024-09-27T21:12:59.095173Z
Summary
Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting
Details

Summary

If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to Cross-site Scripting (XSS) attack against a user who opens a page on which a color column or entry is rendered.

Versions of Filament from v3.0.0 through v3.2.114 are affected.

Please upgrade to Filament v3.2.115.

PoC

PoC will be published in a few weeks, once developers have had a chance to upgrade their apps.

Response

This vulnerability (in ColorColumn only) was reported by @sv-LayZ, who reported the issue and patched the issue during the evening of 25/09/2024. Thank you Mattis.

The review process concluded on 27/09/2024, which revealed the issue was also present in ColorEntry. This was fixed the same day and Filament v3.2.115 followed.

An explanation of the fix will be published in a few weeks, once developers have had a chance to upgrade their apps.

Although these components are no longer vulnerable to this type of XSS attack, it is good practice to validate colors, and since many Filament users may be accepting color input using the ColorPicker form component, additional color validation documentation was published.

References

Affected packages

Packagist / filament/tables

Package

Name
filament/tables
Purl
pkg:composer/filament/tables

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.115

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.36
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.0.50
v3.0.51
v3.0.52
v3.0.53
v3.0.54
v3.0.55
v3.0.56
v3.0.57
v3.0.58
v3.0.59
v3.0.60
v3.0.61
v3.0.62
v3.0.63
v3.0.64
v3.0.65
v3.0.66
v3.0.67
v3.0.68
v3.0.69
v3.0.70
v3.0.71
v3.0.72
v3.0.73
v3.0.74
v3.0.75
v3.0.76
v3.0.77
v3.0.78
v3.0.79
v3.0.80
v3.0.81
v3.0.82
v3.0.83
v3.0.84
v3.0.85
v3.0.86
v3.0.87
v3.0.88
v3.0.89
v3.0.90
v3.0.91
v3.0.92
v3.0.93
v3.0.94
v3.0.95
v3.0.96
v3.0.97
v3.0.98
v3.0.99
v3.0.100
v3.0.101
v3.0.102
v3.0.103
v3.1.0-alpha1
v3.1.0-alpha2
v3.1.0-alpha3
v3.1.0-alpha4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.1.36
v3.1.37
v3.1.39
v3.1.40
v3.1.41
v3.1.42
v3.1.43
v3.1.44
v3.1.45
v3.1.46
v3.1.47
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25-beta1
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.2.40
v3.2.41
v3.2.42
v3.2.43
v3.2.44
v3.2.45
v3.2.46
v3.2.47
v3.2.48
v3.2.49
v3.2.50
v3.2.51
v3.2.52
v3.2.53
v3.2.54
v3.2.55
v3.2.56
v3.2.57
v3.2.58
v3.2.59
v3.2.60
v3.2.61
v3.2.62
v3.2.63
v3.2.64
v3.2.65
v3.2.66
v3.2.67
v3.2.68
v3.2.69
v3.2.70
v3.2.71
v3.2.72
v3.2.73
v3.2.74
v3.2.75
v3.2.76
v3.2.77
v3.2.78
v3.2.79
v3.2.80
v3.2.81
v3.2.82
v3.2.83
v3.2.84
v3.2.85
v3.2.86
v3.2.87-beta1
v3.2.87
v3.2.88
v3.2.89
v3.2.90
v3.2.91
v3.2.92
v3.2.93
v3.2.94
v3.2.95
v3.2.96
v3.2.97
v3.2.98
v3.2.99
v3.2.100
v3.2.101
v3.2.102
v3.2.103
v3.2.104
v3.2.105
v3.2.106
v3.2.107
v3.2.108
v3.2.109
v3.2.110
v3.2.111
v3.2.112
v3.2.113
v3.2.114

Packagist / filament/infolists

Package

Name
filament/infolists
Purl
pkg:composer/filament/infolists

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.2.115

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.36
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.0.50
v3.0.51
v3.0.52
v3.0.53
v3.0.54
v3.0.55
v3.0.56
v3.0.57
v3.0.58
v3.0.59
v3.0.60
v3.0.61
v3.0.62
v3.0.63
v3.0.64
v3.0.65
v3.0.66
v3.0.67
v3.0.68
v3.0.69
v3.0.70
v3.0.71
v3.0.72
v3.0.73
v3.0.74
v3.0.75
v3.0.76
v3.0.77
v3.0.78
v3.0.79
v3.0.80
v3.0.81
v3.0.82
v3.0.83
v3.0.84
v3.0.85
v3.0.86
v3.0.87
v3.0.88
v3.0.89
v3.0.90
v3.0.91
v3.0.92
v3.0.93
v3.0.94
v3.0.95
v3.0.96
v3.0.97
v3.0.98
v3.0.99
v3.0.100
v3.0.101
v3.0.102
v3.0.103
v3.1.0-alpha1
v3.1.0-alpha2
v3.1.0-alpha3
v3.1.0-alpha4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.1.36
v3.1.37
v3.1.39
v3.1.40
v3.1.41
v3.1.42
v3.1.43
v3.1.44
v3.1.45
v3.1.46
v3.1.47
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25-beta1
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.2.40
v3.2.41
v3.2.42
v3.2.43
v3.2.44
v3.2.45
v3.2.46
v3.2.47
v3.2.48
v3.2.49
v3.2.50
v3.2.51
v3.2.52
v3.2.53
v3.2.54
v3.2.55
v3.2.56
v3.2.57
v3.2.58
v3.2.59
v3.2.60
v3.2.61
v3.2.62
v3.2.63
v3.2.64
v3.2.65
v3.2.66
v3.2.67
v3.2.68
v3.2.69
v3.2.70
v3.2.71
v3.2.72
v3.2.73
v3.2.74
v3.2.75
v3.2.76
v3.2.77
v3.2.78
v3.2.79
v3.2.80
v3.2.81
v3.2.82
v3.2.83
v3.2.84
v3.2.85
v3.2.86
v3.2.87-beta1
v3.2.87
v3.2.88
v3.2.89
v3.2.90
v3.2.91
v3.2.92
v3.2.93
v3.2.94
v3.2.95
v3.2.96
v3.2.97
v3.2.98
v3.2.99
v3.2.100
v3.2.101
v3.2.102
v3.2.103
v3.2.104
v3.2.105
v3.2.106
v3.2.107
v3.2.108
v3.2.109
v3.2.110
v3.2.111
v3.2.112
v3.2.113
v3.2.114