CVE-2025-43795: 
Liferay Portal 脆弱性の分析と軽減

CVE-2025-43795 is an open redirect vulnerability affecting multiple components in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP versions from 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The vulnerability was discovered by Abderrahmane BOUNHIDJA and publicly disclosed on November 4, 2024 (Liferay Security).

The vulnerability exists in three different components: System Settings, Instance Settings, and Site Settings. It allows remote attackers to redirect users to arbitrary external URLs through manipulation of specific parameters: comliferayconfigurationadminwebportletSystemSettingsPortletredirect, comliferayconfigurationadminwebportletInstanceSettingsPortletredirect, and comliferaysiteadminwebportletSiteSettingsPortletredirect. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability allows attackers to perform open redirect attacks, which could potentially be used in phishing campaigns by redirecting users to malicious websites. The CVSS scoring indicates low impact on confidentiality and integrity, with no impact on availability (Liferay Security).

The vulnerability has been fixed in Liferay Portal 7.4.3.102, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 U36. Users are advised to upgrade to these fixed versions (Liferay Security).