CVE-2025-43767
BaseFortify
Publication date: 2025-08-23
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2024.Q1.1 (inc) to 2024.Q1.13 (exc) |
| liferay | digital_experience_platform | From 2024.q2.0 (inc) to 2024.q2.13 (inc) |
| liferay | digital_experience_platform | From 2024.Q3.1 (inc) to 2024.Q3.10 (exc) |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.3.86 (inc) to 7.4.3.132 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-43767 is an Open Redirect vulnerability in the /c/portal/edit_info_item parameter redirect functionality of Liferay Portal and Liferay DXP. It allows an attacker to manipulate the redirect parameter to send users to malicious websites, potentially enabling phishing or other attacks. The vulnerability affects multiple versions of Liferay Portal and DXP and requires user interaction to be exploited. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect users from a trusted Liferay Portal or DXP site to malicious websites. This can lead to phishing attacks, where users might be tricked into revealing sensitive information or downloading malware. Although the impact on confidentiality, integrity, and availability is low, the risk of user deception and potential compromise of user data exists. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing the /c/portal/edit_info_item parameter for open redirect behavior. For example, you can use curl or similar tools to send requests with manipulated redirect parameters and observe if the response redirects to an external or malicious URL. A sample command could be: curl -I 'http://your-liferay-instance/c/portal/edit_info_item?redirect=http://malicious-site.com' and check if the Location header redirects to the external URL. Monitoring web server logs for unusual redirect patterns involving this parameter can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP installation to a fixed version that addresses this vulnerability. The fixed versions are Liferay Portal 7.4.3.132, Liferay DXP 2024.Q1.13, 2024.Q3.10, 2024.Q4.0, or 2025.Q1.0. If upgrading immediately is not possible, consider implementing input validation or filtering on the redirect parameter to prevent open redirects, and monitor for suspicious redirect activity. [1]