CVE-2025-62266: 
Java Análise e mitigação de vulnerabilidades

CVE-2025-62266 affects Liferay Portal versions 7.4.0 through 7.4.3.119 and Liferay DXP versions from 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92, along with older unsupported versions. The vulnerability is related to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs (NVD).

The vulnerability exists in the default configuration of affected Liferay versions, where the redirect URL security is set to IP instead of domain. This configuration makes the system vulnerable to DNS rebinding attacks. The vulnerability has been assigned a CVSS 4.0 Base Score of 5.1 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

When exploited, this vulnerability allows remote attackers to redirect users to arbitrary external URLs, potentially leading to phishing attacks or other malicious redirections. The impact is considered medium severity due to the requirement of user interaction and the limited scope of the vulnerability (NVD).

The vulnerability can be mitigated by changing the redirect URL security setting from IP to domain. For a permanent fix, users should upgrade to the latest version of their respective Liferay products (NVD, CERT-FR).