Moderate severityNVD Advisory· Published Sep 22, 2022· Updated May 27, 2025
CVE-2022-28977
CVE-2022-28977
Description
HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect parameter (2) FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.3.1-ga2, < 7.4.3.4-ga4 | 7.4.3.4-ga4 |
com.liferay.portal:release.dxp.bomMaven | >= 7.0.10.fp91, < 7.0.10.fp101 | 7.0.10.fp101 |
com.liferay.portal:release.dxp.bomMaven | >= 7.1.10.fp17, < 7.1.10.fp25 | 7.1.10.fp25 |
com.liferay.portal:release.dxp.bomMaven | >= 7.2.10.fp5, < 7.2.10.fp14 | 7.2.10.fp14 |
com.liferay.portal:com.liferay.util.javaMaven | < 7.9.0 | 7.9.0 |
Affected products
4- ghsa-coords3 versionspkg:maven/com.liferay.portal/com.liferay.util.javapkg:maven/com.liferay.portal/release.dxp.bompkg:maven/com.liferay.portal/release.portal.bom
< 7.9.0+ 2 more
- (no CPE)range: < 7.9.0
- (no CPE)range: >= 7.0.10.fp91, < 7.0.10.fp101
- (no CPE)range: >= 7.3.1-ga2, < 7.4.3.4-ga4
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-w397-9p2j-6x23ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28977ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- github.com/liferay/liferay-portal/commit/242e8bcabe3e8767799d3d1e6c021a75b4ada11bghsaWEB
- github.com/liferay/liferay-portal/commit/6389885476414d3cd9e3092b4708906a5bdc8a48ghsaWEB
- github.com/liferay/liferay-portal/commit/8aa3fd76f34d1a4562bd5b4f82931a0a124e31a8ghsaWEB
- liferay.atlassian.net/browse/LPE-17327ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28977ghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slashmitrex_refsource_MISC
- web.archive.org/web/20220922060039/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slashghsaWEB
News mentions
0No linked articles in our index yet.