CVE-2024-25608

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.18 Liferay DXP 7.4 before update 19 Liferay DXP 7.3 before update 4 Liferay DXP 7.2 before fix pack 19

Description The issue allows remote attackers to redirect users to arbitrary external URLs via parameters such as redirect, FORWARD URL, noSuchEntryRedirect, and others that rely on HtmlUtil.escapeRedirect. This can be achieved by circumventing HtmlUtil.escapeRedirect using the 'REPLACEMENT CHARACTER' (U+FFFD). Threat actors are leveraging this issue for phishing, including credential phishing on U.S. government sites.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.18, update to a version after 7.4.3.18 or apply the necessary fix. For Liferay DXP 7.4 before update 19, apply update 19. For Liferay DXP 7.3 before update 4, apply update 4. For Liferay DXP 7.2 before fix pack 19, apply fix pack 19. As a temporary workaround, consider restricting access to parameters such as redirect, FORWARD URL, and noSuchEntryRedirect to minimize the risk of exploitation.