CVE-2025-62264
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-10

Assigner: Liferay Inc.

Description
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-10
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62264
Affected Vendors & Products
Showing 111 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 2023.q3.1
liferay digital_experience_platform 2023.q3.2
liferay digital_experience_platform 2023.q3.3
liferay digital_experience_platform 2023.q3.4
liferay digital_experience_platform 2023.q3.5
liferay digital_experience_platform 2023.q3.6
liferay digital_experience_platform 2023.q3.7
liferay digital_experience_platform 2023.q3.8
liferay digital_experience_platform 2023.q3.9
liferay digital_experience_platform 2023.q3.10
liferay digital_experience_platform 2023.q4.0
liferay digital_experience_platform 2023.q4.1
liferay digital_experience_platform 2023.q4.2
liferay digital_experience_platform 2023.q4.3
liferay digital_experience_platform 2023.q4.4
liferay digital_experience_platform 2023.q4.5
liferay digital_experience_platform 2023.q4.6
liferay digital_experience_platform 2023.q4.7
liferay digital_experience_platform 2023.q4.8
liferay digital_experience_platform 2023.q4.9
liferay digital_experience_platform 2023.q4.10
liferay liferay_portal From 7.4.3.8 (inc) to 7.4.3.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in the Language Override feature of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML through a specific parameter named `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId`. This means an attacker can craft a malicious URL that, when visited by a user, can execute unwanted scripts in the user's browser. [1]

Impact Analysis

The vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website, potentially leading to theft of user data, session hijacking, or other malicious actions performed on behalf of the user. Since it requires user interaction (UI:A), the attacker needs to trick users into clicking a crafted link. The impact severity is moderate with a CVSS score of 5.1. [1]

Detection Guidance

This vulnerability can be detected by testing for reflected cross-site scripting (XSS) via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter in affected Liferay Portal or DXP versions. You can use tools like curl or a web proxy to send HTTP requests with crafted payloads in this parameter and observe if the payload is reflected unescaped in the response. For example, using curl: curl -v 'http://<target>/path?_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId=<script>alert(1)</script>' and checking if the script is executed or reflected in the response. Automated scanners that test for reflected XSS vulnerabilities can also be used targeting this parameter. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading affected Liferay Portal and DXP installations to fixed versions: Liferay Portal 7.4.3.112 or later, and Liferay DXP 2024.Q1.1 or later. If upgrading is not immediately possible, consider applying web application firewall (WAF) rules to block or sanitize requests containing suspicious input in the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter to prevent script injection. Additionally, ensure that user input is properly validated and escaped in the application to prevent XSS. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart