[RELEASE] FirstSpirit™ 2023.8 and 2023.10 - HotFix-Builds with JxBrowser update (CVE-2023-4863)

Natalie_Manusov
Crownpeak employee
Crownpeak employee
0 3 526

FirstSpirit Hotfix-Builds 5.2.230817 (Non-Jakarta) and 5.2.231010 (Jakarta) contain a further security fix for CVE-2023-4863 (Heap Buffer Overflow in WebP):

  • JxBrowser update to the version 7.35.1  (is used in the integrated preview in the SiteArchitect)

The vulnerability is classified as critical. Crownpeak therefore recommends a prompt update to a secured FirstSpirit version.

A “heap buffer overflow” in WebP allowed a remote attacker to perform an out-of-bounds memory-write, and thus possibly inject malicious code. A manipulated WebP image can therefor lead to code injection.

FirstSpirit versions since 2019.11 are affected.

How can the vulnerability be exploited?

  • An editor adds a manipulated WebP image to a project.
  • An editor opens an (external) website containing a manipulated WebP in the integrated preview.

What do you have to do?

  • (Server) Update to 5.2.230817 / 5.2.231010
  • (Client) Update the local browsers

Mitigation without FS Update

New FirstSpirit versions are available for download

You need a personal login to access the download folder. Please contact our Technical Support if you do not have a personal login.

3 Comments
Radigewski
Occasional Collector

How can I prevent uploading of WebP (set appropriate restrictions in the project) ?
I'm just aware of the setting to configure the allowed media types. 
Is there also a configuration option for forbidden file types?

Windmüller
Crownpeak employee
Crownpeak employee

FirstSpirit allows for configuring the allowed media types, but not the forbidden ones. However, you can set the media type for WebP to be handled as plain files so there will be no image processing.

Radigewski
Occasional Collector

Thank you for the clarification. So theoretically a solution, but practically useless. 😞

Version history
Last update:
‎10-05-2023 03:55 AM
Updated by: