Description
Open redirect vulnerability in the Notifications module in Liferay Portal 7.0.0 through 7.3.1, and Liferay DXP 7.0 before fix pack 94, 7.1 before fix pack 19 and 7.2 before fix pack 8, allows remote attackers to redirect users to arbitrary external URLs via the 'redirect' parameter.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120747627
Patch, Vendor Advisory x_refsource_confirm
https://issues.liferay.com/browse/LPE-17022
Scores
CVSS v3
6.1
EPSS
0.0036
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (3)
com.liferay.portal/release.dxp.bom
7.0.10.fp0 - 7.0.10.fp94Maven
com.liferay.portal/release.portal.bom
7.0.0Maven
liferay/digital_experience_platform
7.0 (48 CPE variants)
Published
Aug 03, 2021
Tracked Since
Feb 18, 2026