CVE-2025-62240
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | From 2023.Q3.1 (inc) to 2023.Q3.8 (exc) |
| liferay | digital_experience_platform | From 2023.q4.0 (inc) to 2023.q4.6 (exc) |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.3 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | liferay_portal | From 7.4.3.35 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple cross-site scripting (XSS) issues in the Calendar events feature of Liferay Portal and Liferay DXP. Remote attackers can inject arbitrary web scripts or HTML by submitting crafted payloads into a user's First Name, Middle Name, or Last Name text fields. This allows attackers to execute malicious scripts in the context of other users. [1]
How can this vulnerability impact me? :
The vulnerability can allow remote attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. However, the impact on confidentiality, integrity, and availability is considered low. Exploitation requires user interaction and low privileges. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Liferay Portal or Liferay DXP installation is within the affected versions (Liferay Portal 7.4.3.35 through 7.4.3.111, Liferay DXP 2023.Q3.1 through 2023.Q3.7, 2023.Q4.0 through 2023.Q4.5, 7.4 Update 35 through Update 92, and 7.3 Update 25 through Update 36). Additionally, you can test for XSS by attempting to inject crafted payloads into the First Name, Middle Name, or Last Name fields in Calendar events and observing if the payload executes. There are no specific commands provided in the resources, but typical detection involves reviewing user input handling in these fields or using web vulnerability scanners targeting XSS in these inputs. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP to a fixed version where this vulnerability is resolved. The fixed versions are Liferay Portal 7.4.3.112, Liferay DXP 2023.Q3.8, 2023.Q4.6, and 2024.Q1.1. Until upgrading, you should restrict user input in the affected fields (First Name, Middle Name, Last Name) to prevent injection of scripts, apply input validation and sanitization, and limit user privileges to reduce risk. [1]