HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) redirectparameter (2)
FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Dxp | Liferay | 7.0 (including) | 7.0 (including) |
Dxp | Liferay | 7.0-fix_pack_100 (including) | 7.0-fix_pack_100 (including) |
Dxp | Liferay | 7.0-fix_pack_101 (including) | 7.0-fix_pack_101 (including) |
Dxp | Liferay | 7.0-fix_pack_91 (including) | 7.0-fix_pack_91 (including) |
Dxp | Liferay | 7.0-fix_pack_92 (including) | 7.0-fix_pack_92 (including) |
Dxp | Liferay | 7.0-fix_pack_93 (including) | 7.0-fix_pack_93 (including) |
Dxp | Liferay | 7.0-fix_pack_94 (including) | 7.0-fix_pack_94 (including) |
Dxp | Liferay | 7.0-fix_pack_95 (including) | 7.0-fix_pack_95 (including) |
Dxp | Liferay | 7.0-fix_pack_96 (including) | 7.0-fix_pack_96 (including) |
Dxp | Liferay | 7.0-fix_pack_97 (including) | 7.0-fix_pack_97 (including) |
Dxp | Liferay | 7.0-fix_pack_98 (including) | 7.0-fix_pack_98 (including) |
Dxp | Liferay | 7.0-fix_pack_99 (including) | 7.0-fix_pack_99 (including) |
Dxp | Liferay | 7.1 (including) | 7.1 (including) |
Dxp | Liferay | 7.1-fix_pack_17 (including) | 7.1-fix_pack_17 (including) |
Dxp | Liferay | 7.1-fix_pack_18 (including) | 7.1-fix_pack_18 (including) |
Dxp | Liferay | 7.1-fix_pack_19 (including) | 7.1-fix_pack_19 (including) |
Dxp | Liferay | 7.1-fix_pack_20 (including) | 7.1-fix_pack_20 (including) |
Dxp | Liferay | 7.1-fix_pack_21 (including) | 7.1-fix_pack_21 (including) |
Dxp | Liferay | 7.1-fix_pack_22 (including) | 7.1-fix_pack_22 (including) |
Dxp | Liferay | 7.1-fix_pack_23 (including) | 7.1-fix_pack_23 (including) |
Dxp | Liferay | 7.1-fix_pack_24 (including) | 7.1-fix_pack_24 (including) |
Dxp | Liferay | 7.1-fix_pack_25 (including) | 7.1-fix_pack_25 (including) |
Dxp | Liferay | 7.2 (including) | 7.2 (including) |
Dxp | Liferay | 7.2-fix_pack_10 (including) | 7.2-fix_pack_10 (including) |
Dxp | Liferay | 7.2-fix_pack_11 (including) | 7.2-fix_pack_11 (including) |
Dxp | Liferay | 7.2-fix_pack_12 (including) | 7.2-fix_pack_12 (including) |
Dxp | Liferay | 7.2-fix_pack_13 (including) | 7.2-fix_pack_13 (including) |
Dxp | Liferay | 7.2-fix_pack_14 (including) | 7.2-fix_pack_14 (including) |
Dxp | Liferay | 7.2-fix_pack_5 (including) | 7.2-fix_pack_5 (including) |
Dxp | Liferay | 7.2-fix_pack_6 (including) | 7.2-fix_pack_6 (including) |
Dxp | Liferay | 7.2-fix_pack_7 (including) | 7.2-fix_pack_7 (including) |
Dxp | Liferay | 7.2-fix_pack_8 (including) | 7.2-fix_pack_8 (including) |
Dxp | Liferay | 7.2-fix_pack_9 (including) | 7.2-fix_pack_9 (including) |
Dxp | Liferay | 7.3 (including) | 7.3 (including) |
Dxp | Liferay | 7.3-sp1 (including) | 7.3-sp1 (including) |
Dxp | Liferay | 7.3-sp2 (including) | 7.3-sp2 (including) |
Liferay_portal | Liferay | 7.3.1 (including) | 7.4.3.4 (excluding) |