[RELEASE] FirstSpirit™ 2023.8 and 2023.10 - HotFix-Builds with JxBrowser update (CVE-2023-4863)

Natalie_Manusov
Crownpeak employee
Crownpeak employee
0 3 982

FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):

  • JxBrowser update to the version 7.35.1  (is used in the integrated preview in the SiteArchitect)

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.

A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.

FirstSpirit versions since 2019.11 are affected.

How can the vulnerability be exploited?

  • An editor adds a manipulated WebP image to a project.
  • An editor opens an (external) website containing a manipulated WebP in the integrated preview.

What do you have to do?

  • (Server) Update to 5.2.230817 / 5.2.231010
  • (Client) Update the local browsers

Mitigation without FS Update

New FirstSpirit versions are available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

3 Comments