CVE-2024-47186

Name of the Vulnerable Software and Affected Versions Filament versions 3.0.0 through 3.2.114

Description The issue is a cross-site scripting (XSS) vulnerability. If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. This occurs because Laravel does not escape special characters within the @style Blade directive, allowing arbitrary JavaScript to run if malicious input is stored in the database.

Recommendations For versions 3.0.0 through 3.2.114, update to Filament version 3.2.115 to fix the issue. As a temporary workaround, consider validating colors and escaping special characters when outputting inline styles to prevent XSS attacks. Additionally, restrict the use of ColorColumn and ColumnEntry until the update is applied.