PT-2025-44440 · Liferay · Liferay Dxp+1
Published
2025-10-30
·
Updated
2025-11-11
·
CVE-2025-62266
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Liferay Portal versions 7.4.0 through 7.4.3.119
Liferay DXP versions 2023.Q3.1 through 2023.Q4.10
Liferay DXP versions 2024.Q1.1 through 2024.Q1.5
Liferay Portal versions 7.4 GA through update 92
Older unsupported versions
Description
The software is susceptible to DNS rebinding attacks, which could allow remote attackers to redirect users to arbitrary external URLs. The redirect URL security is, by default, configured to use IP, which enables this issue.
Recommendations
Change the redirect URL security from IP to domain for Liferay Portal versions 7.4.0 through 7.4.3.119.
Change the redirect URL security from IP to domain for Liferay DXP versions 2023.Q3.1 through 2023.Q4.10.
Change the redirect URL security from IP to domain for Liferay DXP versions 2024.Q1.1 through 2024.Q1.5.
Change the redirect URL security from IP to domain for Liferay Portal versions 7.4 GA through update 92.
Change the redirect URL security from IP to domain for older unsupported versions.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Liferay Dxp
Liferay Portal