Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.
2025-08-09T05:15:29.060
2025-12-16T16:43:18.523
Analyzed
CVSSv3.1: 8.6 (HIGH)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | liferay | digital_experience_platform | ≤ 2024.q1.15 | Yes |
| Application | liferay | digital_experience_platform | ≤ 2024.q2.13 | Yes |
| Application | liferay | digital_experience_platform | ≤ 2024.q3.13 | Yes |
| Application | liferay | digital_experience_platform | ≤ 2024.q4.7 | Yes |
| Application | liferay | digital_experience_platform | ≤ 2025.q1.4 | Yes |
| Application | liferay | digital_experience_platform | 7.4 | Yes |
| Application | liferay | liferay_portal | ≤ 7.4.3.132 | Yes |