VYPR
Moderate severityNVD Advisory· Published Sep 22, 2022· Updated May 27, 2025

CVE-2022-28977

CVE-2022-28977

Description

HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect parameter (2) FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:release.portal.bomMaven
>= 7.3.1-ga2, < 7.4.3.4-ga47.4.3.4-ga4
com.liferay.portal:release.dxp.bomMaven
>= 7.0.10.fp91, < 7.0.10.fp1017.0.10.fp101
com.liferay.portal:release.dxp.bomMaven
>= 7.1.10.fp17, < 7.1.10.fp257.1.10.fp25
com.liferay.portal:release.dxp.bomMaven
>= 7.2.10.fp5, < 7.2.10.fp147.2.10.fp14
com.liferay.portal:com.liferay.util.javaMaven
< 7.9.07.9.0

Affected products

4

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.