[RELEASE] FirstSpirit™ 2023.8 HotFix-Build 5.2.230813

Natalie_Manusov
Crownpeak employee
Crownpeak employee
0 0 693

The FirstSpirit Hotfix-Build 5.2.230813 contains a security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP).

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.

Due to CVE-2023-4863, the WebP library used by FirstSpirit has been updated to a version based on libwebp version 1.3.2. 

A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.

FirstSpirit versions since 2019.11 are affected.

How can the vulnerability be exploited?

  • An editor adds a manipulated WebP image to a project.

What do you have to do?

  • (Server) Update to 5.2.230813
  • (Client) Disable the integrated preview in SA (JxBrowser)
  • (Client) Update the local browsers

Mitigation without FS Update

  • (Server) Prevent uploading of WebP (set appropriate restrictions in the project) or
  • (Server) Configure WebP as media type file
  • (Client) Disable the integrated preview in SA (JxBrowser)
  • (Client) Update the local browsers

The new FirstSpirit version is available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

Tags (2)