CVE-2025-43795 — Open Redirect in Digital Experience Platform

CWE-601 — Open Redirect4 documents4 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 87.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 12

Description

Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter. Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.1.0 — 7.4.3.102

▶CVEListV5liferay/portal7.1.0 — 7.4.3.101

▶NVDliferay/digital_experience_platform2023.Q3.0 — 2023.Q3.5+3

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+2

🔴Vulnerability Details

CVEList

CVE-2025-43795: Open redirect vulnerability in the System Settings in Liferay Portal 7↗2025-09-12

▶

GHSA

Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect↗2025-09-12

▶

OSV

Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect↗2025-09-12

▶