Jump to content

Excellent Article - XXE Vulnerability Patched in 19.4.1

Ocean West
 Share

This topic is 912 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Ocean West Grand Master

Ocean West

Posted
Posted

XML External Entity Vulnerability in Claris FileMaker

 49 minute read

A couple of months ago I looked more deeply into the “Import Records” functionality in FileMaker, especially the XML parsing, and was wondering if any XXE vulnerability may exist and how one could exploit this in technically interesting ways.

The vulnerability is/was indeed there and can lead to local file disclosure and server side request forgery in various components of the FileMaker platform. The following is a description of the vulnerability including potential exploitation paths.

If you’re running FileMaker Server, make sure to install patch 19.4.1 to mitigate this attack vector. The issue was privately disclosed to Claris, Inc. and this write-up was only released after a patch was available (see timeline below).

Click link to read rest of the article:

https://davidhamann.de/2021/11/18/filemaker-xxe-vulnerability/

  • Like 1
Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept