CVE-2025-62246
BaseFortify
Publication date: 2025-10-13
Last updated on: 2025-12-12
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | to 7.4 (inc) |
| liferay | digital_experience_platform | From 2023.q3.1 (inc) to 2023.q3.9 (exc) |
| liferay | digital_experience_platform | From 2023.q4.0 (inc) to 2023.q4.6 (exc) |
| liferay | liferay_portal | From 7.1.0 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple stored cross-site scripting (XSS) issues in various versions of Liferay Portal and Liferay DXP. Remote authenticated users can inject arbitrary web scripts or HTML by submitting crafted payloads into user name fields (first, middle, or last name) that are then stored and displayed in several widgets or apps such as page comments, blog entry comments, document comments, message board messages, wiki page comments, and other mention-supporting widgets. This allows malicious scripts to be executed in the context of other users viewing the affected content.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected content, potentially leading to session hijacking, unauthorized actions on behalf of users, data theft, or defacement of content. Since the scripts are stored and executed when other users access the affected widgets or apps, it can impact the integrity and security of the platform and its users.