Cyber Resilience

CVE-2024-25608

Medium

Published: 20 February 2024

Published
20 February 2024
Modified
11 December 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1765 95.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-25608 is a medium-severity Open Redirect (CWE-601) vulnerability in Liferay Digital Experience Platform. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-25608 is an open redirect vulnerability in the HtmlUtil.escapeRedirect method, which can be bypassed through use of the Unicode REPLACEMENT CHARACTER (U+FFFD). The flaw affects Liferay Portal versions 7.2.0 through 7.4.3.18 and older unsupported releases, as well as Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions. It is tracked under CWE-601 with a CVSS 3.1 base score of 6.1.

Remote attackers can exploit the issue without authentication by supplying crafted values to the redirect, FORWARD_URL, noSuchEntryRedirect, or similar parameters that rely on the escape function, causing victims to be sent to arbitrary external sites. The attack requires user interaction such as clicking a malicious link and results in limited impact to confidentiality and integrity.

Liferay has published security advisories at the referenced URLs that describe the affected components and available fixes or workarounds for supported releases.

The associated EPSS score rose from lower values to a peak of 0.2691 on 2026-02-03 before receding to the current 0.1765, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD),…

more

which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

liferay
digital experience platform
7.2, 7.3, 7.4 · ≤ 7.2
liferay
liferay portal
≤ 7.4.3.19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References