CVE-2023-42955

Published: May 14, 2024Modified: Dec 10, 2024

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

Claris International has successfully resolved an issue of potentially exposing password information to front-end websites when signed in to the Admin Console with an administrator role. This issue has been fixed in FileMaker Server 20.3.1 by eliminating the send of Admin Role passwords in the Node.js socket.

Affected (1)

Products: Claris: Filemaker Server

1 product

Filemaker Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Claris Filemaker Server	Before 20.3.1

Related CWEs

Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (2)

https://support.claris.com/s/article/Administrator-role-passwords-being-exposed-when-logged-into-the-Admin-Console?language=en_US

Source: product-security@apple.com

Vendor Advisory

https://support.claris.com/s/article/Administrator-role-passwords-being-exposed-when-logged-into-the-Admin-Console?language=en_US

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.