CVE-2023-35029

MEDIUM

Liferay DXP 7.4 update 70-76 / Portal 7.4.3.70-76 Open Redirect via SEO BackURL

Title source: llm

Description

Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029

Scores

CVSS v3 6.1

EPSS 0.0040

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (4)

com.liferay.portal/release.dxp.bom 7.4.13.u70Maven

com.liferay.portal/release.portal.bom 7.4.3.70-ga70 - 7.4.3.77-ga77Maven

liferay/dxp 7.4 update_70 (7 CPE variants)

liferay/liferay_portal 7.4.3.70 - 7.4.3.77

Published Jun 15, 2023

Tracked Since Feb 18, 2026