CVE-2025-43767 in Liferayinfo

Summary

by MITRE • 08/23/2025

Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal 7.4.3.86 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 update 86 through update 92 allows an attacker to exploit this security vulnerability to redirect users to a malicious site.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 12/13/2025

The CVE-2025-43767 vulnerability represents a critical open redirect flaw within the Liferay Portal platform that affects multiple versions including Liferay Portal 7.4.3.86 through 7.4.3.131 and Liferay DXP 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 86 through update 92. This vulnerability specifically targets the /c/portal/edit_info_item parameter redirect functionality, creating a pathway for malicious actors to manipulate user navigation and potentially execute social engineering attacks. The flaw stems from inadequate input validation and sanitization of redirect parameters, allowing attackers to craft malicious URLs that appear legitimate to users while directing them to unauthorized third-party domains.

The technical implementation of this vulnerability occurs within the portal's redirect handling mechanism where user-supplied parameters are not properly validated against a whitelist of approved domains or thoroughly sanitized before being used for redirection operations. This weakness falls under the CWE-601 vulnerability category, specifically addressing open redirect flaws where applications redirect users to arbitrary web addresses without proper validation. The vulnerability operates at the application layer and can be exploited through crafted URLs that include malicious redirect parameters, making it particularly dangerous in environments where users frequently interact with portal applications and may be unaware of the redirection.

The operational impact of CVE-2025-43767 extends beyond simple unauthorized redirection, creating significant risks for user security and organizational integrity. Attackers can leverage this vulnerability to conduct phishing campaigns by redirecting users to malicious sites that mimic legitimate Liferay portals, potentially capturing credentials or sensitive information. The vulnerability enables sophisticated social engineering attacks where users are tricked into visiting malicious domains while believing they are navigating within a trusted application environment. This poses particular risks in enterprise settings where Liferay portals serve as central access points for business applications and sensitive data, potentially allowing attackers to bypass security controls and gain unauthorized access to internal resources.

Organizations affected by this vulnerability should implement immediate mitigations including input validation controls that enforce strict domain whitelisting for redirect parameters, proper URL sanitization before redirection operations, and comprehensive monitoring of redirect activities within portal logs. The implementation of security measures should align with ATT&CK framework techniques related to defense evasion and credential access, particularly focusing on preventing unauthorized redirects that could facilitate further exploitation. Additionally, organizations should conduct thorough security assessments of their portal configurations, update to patched versions of Liferay Portal and DXP where available, and implement network-level controls to prevent access to known malicious domains. Regular security awareness training for users should emphasize the importance of verifying URLs before clicking on links, especially in environments where the vulnerability could be exploited through email campaigns or other user-facing interfaces.

Responsible

Liferay

Reservation

04/17/2025

Disclosure

08/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00172

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!