FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):
- JxBrowser update to the version 7.35.1 (is used in the integrated preview in the SiteArchitect)
The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.
A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.
FirstSpirit versions since 2019.11 are affected.
How can the vulnerability be exploited?
- An editor adds a manipulated WebP image to a project.
- An editor opens an (external) website containing a manipulated WebP in the integrated preview.
What do you have to do?
- (Server) Update to 5.2.230817 / 5.2.231010
- (Client) Update the local browsers
Mitigation without FS Update
New FirstSpirit versions are available for download.
You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.
