First published: Thu Jun 15 2023(Updated: )
Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.
Credit: security@liferay.com
Affected Software | Affected Version | How to fix |
---|---|---|
Liferay DXP | =7.4-update_70 | |
Liferay DXP | =7.4-update_71 | |
Liferay DXP | =7.4-update_72 | |
Liferay DXP | =7.4-update_73 | |
Liferay DXP | =7.4-update_74 | |
Liferay DXP | =7.4-update_75 | |
Liferay DXP | =7.4-update_76 | |
Liferay Liferay Portal | >=7.4.3.70<7.4.3.77 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-35029 is an open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76, which allows remote attackers to redirect users to arbitrary external URLs.
The open redirect vulnerability can be exploited by manipulating the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter to redirect users to arbitrary external URLs.
CVE-2023-35029 has a severity value of 6.1, which is considered medium.
CVE-2023-35029 affects Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76.
To fix CVE-2023-35029, it is recommended to upgrade to a secure version of Liferay Portal or Liferay DXP.