ArcGIS QuickCapture mobile app susceptibility to CVE-2023-4863

Description

Prior to ArcGIS QuickCapture version 1.23.12, the mobile app was susceptible to CVE-2023-4863 — a critical heap buffer overflow vulnerability in libwebp that could allow remote attackers to execute arbitrary code via crafted HTML content.

Note:
This article only applies to the QuickCapture app installed on the Windows OS.

Cause

The ArcGIS QuickCapture mobile app included a vulnerable qwebp.dll file in the installation folder, which is not removed when uninstalling the app.

Solution or Workaround

Esri recommends that all users of the ArcGIS QuickCapture mobile app remove the vulnerable file by completing one of the following steps:

• Upgrade the app to version 1.23.12 or later.
• If upgrading is not an option, delete the vulnerable qwebp.dll file from the app's installation folder: C:\Users\<username>\Applications\ArcGIS\ArcGISQuickCapture\plugins\imageformats\qwebp.dll
• If you've uninstalled the app, delete the entire app folder: C:\Users\<username>\Applications\ArcGIS\ArcGISQuickCapture

For anyone installing the QuickCapture app for the first time, QuickCapture version 1.23.12 includes a fix for this issue, and the vulnerable file is no longer included in the installation.