Description
By default, Liferay Portal and Liferay DXP is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.
Severity
5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)
Affected Version(s)
- Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions
- Liferay DXP 2024.Q1 through 2024.Q1.5
- Liferay DXP 2023.Q3
- Liferay DXP 2023.Q4
- Liferay DXP 7.4, and older unsupported versions
Fixed Version(s)
- Liferay Portal 7.4.3.120
- Liferay DXP 2024.Q2.0
- Liferay DXP 2024.Q1.6
Publication date: Thu, 30 Oct 2025 17:38:00 +0000