JVN#55833292 FileMaker cross-site scripting vulnerability

2007-11-21T00:00:00
ID JVN:55833292
Type jvn
Reporter Japan Vulnerability Notes
Modified 2008-05-21T00:00:00

Description

## Description

FileMaker is database software from FileMaker, Inc.
FileMaker contains a cross-site scripting vulnerability in its "Instant Web Publishing" function that enables users to publish database contents on the web.

## Impact

An attacker could execute an arbitrary script on the web browser of a user who views the contents published using the "Instant Web Publishing" function.

## Solution

Upgrade the Software
FileMaker, Inc. has not released any updates or patches for FileMaker 7.x and 8.x.
However the vendor released the FileMaker 9 product line in September 2007. Users are encouraged to upgrade to the FileMaker 9 product line that is not affected by this vulnerability.

Workarounds
The users who are not to upgrade to the FileMaker 9 product line should apply the following workaround to mitigate this vulnerability.

  • Do not use "Instant Web Publishing" function

## Products Affected

  • FileMaker Pro 7 (for Windows and Mac)
  • FileMaker Developer 7 (for Windows and Mac)
  • FileMaker Server 7 Advanced (for Windows and Mac)
  • FileMaker Pro 8.x (for Windows and Mac)
  • FileMaker Pro 8.x Advanced (for Windows and Mac)
  • FileMaker Server 8.x (for Windows and Mac)
  • FileMaker Server 8.x Advanced (for Windows and Mac) The FileMaker 9 product line is not affected by this vulnerability.