GHSA-7q3w-xqjw-g3crMediumCVSS 6.5
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
🔗 CVE IDs covered (1)
📋 Description
The recordSelectOptionsQuery() method may be used to scope the options available in the Select field for AttachAction and AssociateAction. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.
🎯 Affected products3
- composer/filament/tables:>= 3.0.0, <= 3.3.50
- composer/filament/actions:>= 4.0.0, <= 4.11.3
- composer/filament/actions:>= 5.0.0, <= 5.6.3
🔗 References (5)
- https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr
- https://github.com/filamentphp/filament/releases/tag/v3.3.51
- https://github.com/filamentphp/filament/releases/tag/v4.11.4
- https://github.com/filamentphp/filament/releases/tag/v5.6.4
- https://github.com/advisories/GHSA-7q3w-xqjw-g3cr