CVE-2022-28977 — Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented

Description

HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.

How to fix CVE-2022-28977

To remediate CVE-2022-28977, upgrade the affected package to a fixed version below.

—upgrade to 7.9.0 or later
—upgrade to 7.0.10.fp101 or later
—upgrade to 7.4.3.4-ga4 or later

Is CVE-2022-28977 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 7.9.0
>= 7.0.10.fp91, < 7.0.10.fp101
>= 7.3.1-ga2, < 7.4.3.4-ga4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28977
PATCHgithub.com/liferay/liferay-portal
WEBliferay.com
WEBgithub.com/liferay/liferay-portal/commit/242e8bcabe3e8767799d3d1e6c021a75b4ada11b
WEB