CVE-2025-62240
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-09

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-09
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-10-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62240
Affected Vendors & Products
Showing 74 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2023.Q3.1 (inc) to 2023.Q3.8 (exc)
liferay digital_experience_platform From 2023.q4.0 (inc) to 2023.q4.6 (exc)
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.3.35 (inc) to 7.4.3.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves multiple cross-site scripting (XSS) issues in the Calendar events feature of Liferay Portal and Liferay DXP. Remote attackers can inject arbitrary web scripts or HTML by submitting crafted payloads into a user's First Name, Middle Name, or Last Name text fields. This allows attackers to execute malicious scripts in the context of other users. [1]

Impact Analysis

The vulnerability can allow remote attackers to execute malicious scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites. However, the impact on confidentiality, integrity, and availability is considered low. Exploitation requires user interaction and low privileges. [1]

Detection Guidance

This vulnerability can be detected by checking if your Liferay Portal or Liferay DXP installation is within the affected versions (Liferay Portal 7.4.3.35 through 7.4.3.111, Liferay DXP 2023.Q3.1 through 2023.Q3.7, 2023.Q4.0 through 2023.Q4.5, 7.4 Update 35 through Update 92, and 7.3 Update 25 through Update 36). Additionally, you can test for XSS by attempting to inject crafted payloads into the First Name, Middle Name, or Last Name fields in Calendar events and observing if the payload executes. There are no specific commands provided in the resources, but typical detection involves reviewing user input handling in these fields or using web vulnerability scanners targeting XSS in these inputs. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade your Liferay Portal or Liferay DXP to a fixed version where this vulnerability is resolved. The fixed versions are Liferay Portal 7.4.3.112, Liferay DXP 2023.Q3.8, 2023.Q4.6, and 2024.Q1.1. Until upgrading, you should restrict user input in the affected fields (First Name, Middle Name, Last Name) to prevent injection of scripts, apply input validation and sanitization, and limit user privileges to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62240. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart