CVE-2025-62267
BaseFortify
Publication date: 2025-10-31
Last updated on: 2025-11-10
Assigner: Liferay Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 7.4 |
| liferay | digital_experience_platform | 2023.q3.1 |
| liferay | digital_experience_platform | 2023.q3.2 |
| liferay | digital_experience_platform | 2023.q3.3 |
| liferay | digital_experience_platform | 2023.q3.4 |
| liferay | digital_experience_platform | 2023.q3.5 |
| liferay | digital_experience_platform | 2023.q3.6 |
| liferay | digital_experience_platform | 2023.q3.7 |
| liferay | digital_experience_platform | 2023.q3.8 |
| liferay | digital_experience_platform | 2023.q3.9 |
| liferay | digital_experience_platform | 2023.q3.10 |
| liferay | digital_experience_platform | 2023.q4.0 |
| liferay | digital_experience_platform | 2023.q4.1 |
| liferay | digital_experience_platform | 2023.q4.2 |
| liferay | digital_experience_platform | 2023.q4.3 |
| liferay | digital_experience_platform | 2023.q4.4 |
| liferay | digital_experience_platform | 2023.q4.5 |
| liferay | digital_experience_platform | 2023.q4.6 |
| liferay | digital_experience_platform | 2023.q4.7 |
| liferay | digital_experience_platform | 2023.q4.8 |
| liferay | digital_experience_platform | 2023.q4.9 |
| liferay | digital_experience_platform | 2023.q4.10 |
| liferay | liferay_portal | From 7.4.3.35 (inc) to 7.4.3.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62267 is a stored cross-site scripting (XSS) vulnerability in the web content template's select structure page of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting crafted payloads into the user's First Name, Middle Name, or Last Name text fields. This means malicious code can be stored and executed in the application when other users view the affected content. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of other users, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of the user. However, the CVSS score indicates that the impact on confidentiality and integrity is low, and availability is not affected. Exploitation requires high privileges and user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if user input fields for First Name, Middle Name, or Last Name in the affected Liferay Portal or DXP versions are vulnerable to stored XSS by submitting crafted payloads and observing if the scripts are executed. There are no specific commands provided in the resources. A practical approach is to test these fields with typical XSS payloads (e.g., <script>alert(1)</script>) and monitor the web application behavior or use web vulnerability scanners that support stored XSS detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Liferay Portal to version 7.4.3.112 or later, or Liferay DXP to version 2024.Q1.1 or later, where the vulnerability has been fixed. Until the upgrade can be applied, restrict user input in the affected fields to disallow script tags or suspicious HTML, and apply web application firewall (WAF) rules to block malicious payloads targeting these fields. [1]