CVE-2025-43795
MEDIUM WAF: MediumOpen redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter. Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect parameter. Open redirect vulnerability in the Site Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect parameter.
WAF Coverage Analysis
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| liferay | digital_experience_platform | up to 7.3 |
| liferay | digital_experience_platform | 2023.Q3.0 - 2023.Q3.5 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
References
- liferay.dev (Vendor Advisory)