Lucene search

Veracode Vulnerability DatabaseVERACODE:41070

HistoryJun 29, 2023 - 6:16 a.m.

Open Redirect

2023-06-2906:16:07

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerable

open redirect

validation

parameter

layout module

seo configuration

malicious urls

software

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.1%

JSON

com.liferay.layout.seo.web is vulnerable to Open Redirect. The vulnerability exists due to the lack of validation in the backURL parameter in the layout module’s SEO configuration, which allows an attacker to redirect users to malicious external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL parameter.

CPENameOperatorVersion
com.liferay.layout.seo.weble2.0.62
com.liferay.layout.seo.weble2.0.62

CPE	Name	Operator	Version
	com.liferay.layout.seo.web	le	2.0.62
	com.liferay.layout.seo.web	le	2.0.62

References

github.com/advisories/GHSA-22w7-m5f8-87vh

github.com/liferay/liferay-portal/commit/79fede5f639b4bfbab35191d2879b64c3cca4f1a

liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

32.1%

JSON

Related for VERACODE:41070