FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):
JxBrowser update to the version 7.35.1 (is used in the integrated preview in the SiteArchitect)
The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.
A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.
FirstSpirit versions since 2019.11 are affected.
How can the vulnerability be exploited?
An editor adds a manipulated WebP image to a project.
An editor opens an (external) website containing a manipulated WebP in the integrated preview.