CVE-2025-43767
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-23

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal 7.4.3.86 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 update 86 through update 92 allows an attacker to exploit this security vulnerability to redirect users to a malicious site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-23
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-08-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-43767
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.Q1.1 (inc) to 2024.Q1.13 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.1 (inc) to 2024.Q3.10 (exc)
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.3.86 (inc) to 7.4.3.132 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43767 is an Open Redirect vulnerability in the /c/portal/edit_info_item parameter redirect functionality of Liferay Portal and Liferay DXP. It allows an attacker to manipulate the redirect parameter to send users to malicious websites, potentially enabling phishing or other attacks. The vulnerability affects multiple versions of Liferay Portal and DXP and requires user interaction to be exploited. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect users from a trusted Liferay Portal or DXP site to malicious websites. This can lead to phishing attacks, where users might be tricked into revealing sensitive information or downloading malware. Although the impact on confidentiality, integrity, and availability is low, the risk of user deception and potential compromise of user data exists. [1]

Detection Guidance

You can detect this vulnerability by testing the /c/portal/edit_info_item parameter for open redirect behavior. For example, you can use curl or similar tools to send requests with manipulated redirect parameters and observe if the response redirects to an external or malicious URL. A sample command could be: curl -I 'http://your-liferay-instance/c/portal/edit_info_item?redirect=http://malicious-site.com' and check if the Location header redirects to the external URL. Monitoring web server logs for unusual redirect patterns involving this parameter can also help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP installation to a fixed version that addresses this vulnerability. The fixed versions are Liferay Portal 7.4.3.132, Liferay DXP 2024.Q1.13, 2024.Q3.10, 2024.Q4.0, or 2025.Q1.0. If upgrading immediately is not possible, consider implementing input validation or filtering on the redirect parameter to prevent open redirects, and monitor for suspicious redirect activity. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart