MEDIUM 6.5
GHSA-7q3w-xqjw-g3cr
Filament has inconsistent scope enforcement for its AttachAction and AssociateAction Select fields
Details
The `recordSelectOptionsQuery()` method may be used to scope the options available in the `Select` field for `AttachAction` and `AssociateAction`. However, the built-in validation rule for these fields did not apply the same scope. As a result, a user who can trigger these actions could tamper with the Livewire component's state and submit an out-of-scope value.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / filament/tables
Introduced in:
3.0.0 Fixed in: 3.3.51 Fix
composer require filament/tables:^3.3.51 Packagist / filament/actions
Introduced in:
4.0.0 Fixed in: 4.11.4 Fix
composer require filament/actions:^4.11.4 Packagist / filament/actions
Introduced in:
5.0.0 Fixed in: 5.6.4 Fix
composer require filament/actions:^5.6.4 References
- https://github.com/filamentphp/filament/security/advisories/GHSA-7q3w-xqjw-g3cr [WEB]
- https://github.com/filamentphp/filament [PACKAGE]
- https://github.com/filamentphp/filament/releases/tag/v3.3.51 [WEB]
- https://github.com/filamentphp/filament/releases/tag/v4.11.4 [WEB]
- https://github.com/filamentphp/filament/releases/tag/v5.6.4 [WEB]