CVE-2025-43795 Open redirect in System Settings, Instance Settings and Site Settings

Description

Open redirect vulnerability in the System Settings in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter.

Open redirect vulnerability in the Instance Settings in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect parameter.

Open redirect vulnerability in the Site Settings in Liferay Portal and Liferay DXP allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect parameter.

Severity

5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.1.0 through 7.4.3.101
  • Liferay DXP 2023.Q3.0 through 2023.Q3.4
  • Liferay DXP 7.4 GA thorugh U92
  • Liferay DXP 7.3 GA thorugh U35, and older unsupported versions

Fixed Version(s)

 

  • Liferay Portal 7.4.3.102
  • Liferay DXP 2024.Q1.1
  • Liferay DXP 2023.Q4.0
  • Liferay DXP 2023.Q3.5
  • Liferay DXP 7.3 U36

Acknowledgments

This issue was reported by Abderrahmane BOUNHIDJA

Publication date: Mon, 04 Nov 2024 13:18:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.