CVE-2024-25608
Published: 20 February 2024
Summary
CVE-2024-25608 is a medium-severity Open Redirect (CWE-601) vulnerability in Liferay Digital Experience Platform. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-25608 is an open redirect vulnerability in the HtmlUtil.escapeRedirect method, which can be bypassed through use of the Unicode REPLACEMENT CHARACTER (U+FFFD). The flaw affects Liferay Portal versions 7.2.0 through 7.4.3.18 and older unsupported releases, as well as Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions. It is tracked under CWE-601 with a CVSS 3.1 base score of 6.1.
Remote attackers can exploit the issue without authentication by supplying crafted values to the redirect, FORWARD_URL, noSuchEntryRedirect, or similar parameters that rely on the escape function, causing victims to be sent to arbitrary external sites. The attack requires user interaction such as clicking a malicious link and results in limited impact to confidentiality and integrity.
Liferay has published security advisories at the referenced URLs that describe the affected components and available fixes or workarounds for supported releases.
The associated EPSS score rose from lower values to a peak of 0.2691 on 2026-02-03 before receding to the current 0.1765, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22931
Vulnerability details
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD),…
more
which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, (3) `noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.