{"id":"CVE-2024-47186","summary":"Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting","details":"Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue.","aliases":["GHSA-9h9q-qhxg-89xr"],"modified":"2026-04-10T05:17:17.500684Z","published":"2024-09-27T21:04:33.587Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47186.json","cwe_ids":["CWE-79"]},"references":[{"type":"WEB","url":"https://github.com/filamentphp/filament/releases/tag/v3.2.115"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47186.json"},{"type":"ADVISORY","url":"https://github.com/filamentphp/filament/security/advisories/GHSA-9h9q-qhxg-89xr"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47186"},{"type":"FIX","url":"https://github.com/filamentphp/filament/commit/df7989352464d08eda5837ef50f9997fad902316"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/filamentphp/filament","events":[{"introduced":"366535ae9026ef38c588ed7e697cda6492593f6f"},{"fixed":"884f25694a86ca9ddd28da8b0e2c12275adc3feb"}]}],"versions":["v3.0.0","v3.0.0-beta28","v3.0.1","v3.0.11","v3.0.12","v3.0.14","v3.0.15","v3.0.16","v3.0.19","v3.0.2","v3.0.20","v3.0.21","v3.0.22","v3.0.23","v3.0.24","v3.0.25","v3.0.26","v3.0.27","v3.0.28","v3.0.29","v3.0.3","v3.0.30","v3.0.31","v3.0.32","v3.0.33","v3.0.34","v3.0.4","v3.0.48","v3.0.49","v3.0.5","v3.0.50","v3.0.51","v3.0.52","v3.0.53","v3.0.54","v3.0.55","v3.0.56","v3.0.57","v3.0.58","v3.0.59","v3.0.6","v3.0.60","v3.0.61","v3.0.62","v3.0.63","v3.0.64","v3.0.65","v3.0.66","v3.0.67","v3.0.68","v3.0.69","v3.0.7","v3.0.70","v3.0.71","v3.0.72","v3.0.73","v3.0.74","v3.0.75","v3.0.76","v3.0.77","v3.0.78","v3.0.79","v3.0.8","v3.0.81","v3.0.82","v3.0.83","v3.0.84","v3.0.85","v3.0.86","v3.0.87","v3.0.9","v3.1.0","v3.1.0-alpha1","v3.1.0-alpha2","v3.1.0-alpha3","v3.1.0-alpha4","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.2.0","v3.2.1","v3.2.10","v3.2.100","v3.2.101","v3.2.102","v3.2.103","v3.2.104","v3.2.105","v3.2.106","v3.2.107","v3.2.108","v3.2.109","v3.2.11","v3.2.110","v3.2.111","v3.2.112","v3.2.113","v3.2.114","v3.2.12","v3.2.13","v3.2.14","v3.2.15","v3.2.16","v3.2.17","v3.2.18","v3.2.19","v3.2.2","v3.2.20","v3.2.21","v3.2.22","v3.2.23","v3.2.24","v3.2.25","v3.2.25-beta1","v3.2.26","v3.2.27","v3.2.28","v3.2.29","v3.2.3","v3.2.30","v3.2.31","v3.2.32","v3.2.33","v3.2.34","v3.2.35","v3.2.36","v3.2.37","v3.2.38","v3.2.4","v3.2.45","v3.2.46","v3.2.47","v3.2.48","v3.2.49","v3.2.5","v3.2.50","v3.2.57","v3.2.58","v3.2.59","v3.2.6","v3.2.60","v3.2.61","v3.2.62","v3.2.63","v3.2.64","v3.2.65","v3.2.66","v3.2.67","v3.2.68","v3.2.69","v3.2.7","v3.2.70","v3.2.71","v3.2.72","v3.2.73","v3.2.74","v3.2.75","v3.2.76","v3.2.77","v3.2.78","v3.2.79","v3.2.8","v3.2.80","v3.2.81","v3.2.82","v3.2.83","v3.2.84","v3.2.85","v3.2.86","v3.2.87","v3.2.87-beta1","v3.2.88","v3.2.9","v3.2.97","v3.2.98","v3.2.99"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47186.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}