The FirstSpirit Hotfix-Build 5.2.230813 contains a security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP).
The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.
Due to CVE-2023-4863, the WebP library used by FirstSpirit has been updated to a version based on libwebp version 1.3.2.
A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.
FirstSpirit versions since 2019.11 are affected.
How can the vulnerability be exploited?
- An editor adds a manipulated WebP image to a project.
What do you have to do?
- (Server) Update to 5.2.230813
- (Client) Disable the integrated preview in SA (JxBrowser)
- (Client) Update the local browsers
Mitigation without FS Update
- (Server) Prevent uploading of WebP (set appropriate restrictions in the project) or
- (Server) Configure WebP as media type file
- (Client) Disable the integrated preview in SA (JxBrowser)
- (Client) Update the local browsers
The new FirstSpirit version is available for download.
You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.
