CVE-2023-35029

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.70 through 7.4.3.76 Liferay DXP 7.4 update 70 through 76

Description The issue is related to an open redirect vulnerability in the Layout module's SEO configuration. This vulnerability allows remote attackers to redirect users to arbitrary external URLs via the com liferay layout admin web portlet GroupPagesPortlet backURL parameter.

Recommendations For Liferay Portal versions 7.4.3.70 through 7.4.3.76, consider restricting access to the Layout module's SEO configuration until a patch is available. For Liferay DXP 7.4 update 70 through 76, avoid using the com liferay layout admin web portlet GroupPagesPortlet backURL parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.