CVE-2025-46294
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-23
Assigner: Apple Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| claris | filemaker_server | to 22.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Microsoft IIS handling of legacy 8.3 short filenames, where attackers can use the tilde (~) character to enumerate and discover hidden files and directories on the server. The FileMaker Server 22.0.4 installer includes an option to disable this behavior by setting NtfsDisable8dot3NameCreation in the Windows registry, preventing such enumeration attacks.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can infer the existence of hidden files or directories on a server by using crafted requests with the tilde (~) character. This could lead to unauthorized information disclosure or aid in further attacks by revealing sensitive file locations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update FileMaker Server to version 22.0.4 or later, which includes an option to disable IIS short filename enumeration by setting the NtfsDisable8dot3NameCreation registry key in Windows. This prevents attackers from using the tilde (~) character to discover hidden files and directories.