CVE-2025-46320 is a cross-site scripting (XSS) vulnerability affecting the custom homepage feature of FileMaker WebDirect, a web-based interface for Claris FileMaker Server. This vulnerability allows an attacker to inject malicious JavaScript code into the custom homepage, which executes in the context of users visiting the page. The injected script can hijack user sessions, steal sensitive information, or perform actions on behalf of the user, potentially leading to unauthorized access. In some scenarios, this can escalate to remote code execution on the server if combined with other vulnerabilities or misconfigurations. The vulnerability does not require authentication but does require user interaction, such as visiting a crafted URL or page. The issue is addressed in FileMaker Server versions 22.0.4 and 21.1.7, indicating that earlier versions remain vulnerable. The CVSS v3.1 base score of 6.1 reflects a medium severity, with network attack vector, low attack complexity, no privileges required, but user interaction needed, and a scope change indicating impact beyond the vulnerable component. The vulnerability is categorized under CWE-79, which is a common weakness for XSS vulnerabilities. No public exploit code or active exploitation has been reported yet. Organizations using FileMaker Server with WebDirect custom homepages should apply the patches promptly to mitigate risks. The vulnerability's exploitation could compromise confidentiality and integrity of data accessed via WebDirect, impacting business operations and data security.

The primary impact of CVE-2025-46320 is the potential compromise of user sessions and unauthorized access to sensitive data through the exploitation of the XSS vulnerability in FileMaker WebDirect custom homepages. Attackers can execute arbitrary scripts in the context of authenticated users, leading to data theft, session hijacking, or manipulation of application behavior. In some cases, this may escalate to remote code execution on the server, significantly increasing the severity. Organizations relying on FileMaker Server for critical business applications risk data breaches, loss of data integrity, and potential disruption of services. The vulnerability affects confidentiality and integrity but does not directly impact availability. Since exploitation requires user interaction, social engineering or phishing campaigns could be used to lure victims. The medium CVSS score reflects a moderate risk, but the potential for remote code execution elevates the threat if combined with other weaknesses. Failure to patch could lead to targeted attacks against organizations using vulnerable versions, especially those exposing WebDirect interfaces to the internet. This can result in regulatory compliance issues, reputational damage, and financial losses.

To mitigate CVE-2025-46320, organizations should immediately upgrade FileMaker Server to version 22.0.4 or 21.1.7 or later, where the vulnerability has been fully patched. Until patching is complete, restrict access to the WebDirect interface to trusted networks and users only, using network segmentation and firewall rules. Implement strict Content Security Policy (CSP) headers to reduce the risk of XSS exploitation by limiting the execution of unauthorized scripts. Educate users about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of social engineering attacks. Regularly audit and sanitize any user-generated content or inputs used in custom homepages to prevent injection of malicious scripts. Monitor logs and network traffic for unusual activity indicative of exploitation attempts. Employ web application firewalls (WAFs) with rules targeting XSS patterns to provide an additional layer of defense. Finally, maintain an incident response plan to quickly address any suspected compromise related to this vulnerability.