Home

Description

Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter.

PUBLISHED Reserved 2025-10-09 | Published 2025-10-27 | Updated 2025-10-27 | Assigner Liferay




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status
unaffected

7.4.0 (maven)
affected

Default status
unaffected

7.3.10 (maven)
affected

7.4.13 (maven)
affected

2023.Q3.1 (maven)
affected

Credits

Abderrahmane BOUNHIDJA reporter

References

liferay.dev/...-/asset_publisher/jekt/content/CVE-2025-62253

cve.org (CVE-2025-62253)

nvd.nist.gov (CVE-2025-62253)

Download JSON