Description
Filament is a collection of full-stack components for accelerated Laravel development. From filament/actions 4.0.0 until 4.11.4 and 5.6.4 and from filament/tables 3.0.0 until 3.3.51, the recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value. This vulnerability is fixed in filament/actions 4.11.4 and 5.6.4 and filament/tables 3.3.51.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected products
- filamentphp / filament>= 4.0.0, < 4.11.4 – >= 4.0.0, < 4.11.4
- filamentphp / filament>= 5.0.0, < 5.6.4 – >= 5.0.0, < 5.6.4
- filamentphp / filament>= 3.0.0, < 3.3.51 – >= 3.0.0, < 3.3.51