CVE-2025-62266

MEDIUM

Liferay Digital Experience Platform < 7.4.3.110 - Open Redirect

Title source: rule

Description

By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62256

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (3)

com.liferay.portal/release.portal.bom 7.4.0-ga1 - 7.4.3.110Maven

liferay/digital_experience_platform 7.3 (35 CPE variants)

liferay/digital_experience_platform 7.4 (14 CPE variants)

Published Oct 30, 2025

Tracked Since Feb 18, 2026