HIGH 7.6

GHSA-m9cv-24rx-8mv7

Filament: Disabled RichEditor field state can be used for XSS

Details

In Filament v3, a disabled `RichEditor` field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form.

Please note that Filament v4 and above does not use the same mechanism for rendering a disabled `RichEditor` so this advisory does not apply.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / filament/forms

Introduced in: 3.0.0 Fixed in: 3.3.53

Fix composer require filament/forms:^3.3.53

References

https://github.com/filamentphp/filament/security/advisories/GHSA-m9cv-24rx-8mv7 [WEB]
https://github.com/filamentphp/filament/pull/20029 [WEB]
https://github.com/filamentphp/filament [PACKAGE]
https://github.com/filamentphp/filament/releases/tag/v3.3.53 [WEB]