Excellent Article - XXE Vulnerability Patched in 19.4.1

[Ocean West]

XML External Entity Vulnerability in Claris FileMaker

 49 minute read

A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways.

The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. The following is a description of the vulnerability including potential exploitation paths.

If you’re running FileMaker Server, make sure to install patch 19.4.1 to mitigate this attack vector. The issue was privately disclosed to Claris, Inc. and this write-up was only released after a patch was available (see timeline below).

Click link to read rest of the article:

https://davidhamann.de/2021/11/18/filemaker-xxe-vulnerability/