Liferay Portal and DXP Open Redirect Vulnerability in Settings Portlets

An open redirect vulnerability has been identified in multiple settings portlets of Liferay Portal and Liferay DXP. This vulnerability allows remote attackers to redirect users to arbitrary external URLs. The issue is present in Liferay Portal versions 7.1.0 through 7.4.3.101, as well as in Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The vulnerability is exploited via the '_com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect', '_com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect', or '_com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect' parameters, depending on the affected settings context.

Impact

Exploitation of this vulnerability could lead to open redirect issues, allowing for phishing attacks or other malicious redirection.

Remediation

Users can upgrade to Liferay Portal 7.4.3.102 or Liferay DXP versions 2024.Q1.1, 2023.Q4.0, 2023.Q3.5, or 7.3 U36 to address this vulnerability.