CVE-2025-62267
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62267, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-31

Last updated on: 2025-11-10

Assigner: Liferay Inc.

Description

Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-31
Last Modified
2025-11-10
Generated
2026-07-06
AI Q&A
2025-11-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 71 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 2023.q3.1
liferay digital_experience_platform 2023.q3.2
liferay digital_experience_platform 2023.q3.3
liferay digital_experience_platform 2023.q3.4
liferay digital_experience_platform 2023.q3.5
liferay digital_experience_platform 2023.q3.6
liferay digital_experience_platform 2023.q3.7
liferay digital_experience_platform 2023.q3.8
liferay digital_experience_platform 2023.q3.9
liferay digital_experience_platform 2023.q3.10
liferay digital_experience_platform 2023.q4.0
liferay digital_experience_platform 2023.q4.1
liferay digital_experience_platform 2023.q4.2
liferay digital_experience_platform 2023.q4.3
liferay digital_experience_platform 2023.q4.4
liferay digital_experience_platform 2023.q4.5
liferay digital_experience_platform 2023.q4.6
liferay digital_experience_platform 2023.q4.7
liferay digital_experience_platform 2023.q4.8
liferay digital_experience_platform 2023.q4.9
liferay digital_experience_platform 2023.q4.10
liferay liferay_portal From 7.4.3.35 (inc) to 7.4.3.112 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-62267 is a stored cross-site scripting (XSS) vulnerability in the web content template's select structure page of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting crafted payloads into the user's First Name, Middle Name, or Last Name text fields. This means malicious code can be stored and executed in the application when other users view the affected content. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of other users, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of the user. However, the CVSS score indicates that the impact on confidentiality and integrity is low, and availability is not affected. Exploitation requires high privileges and user interaction. [1]

Detection Guidance

Detection of this vulnerability involves checking if user input fields for First Name, Middle Name, or Last Name in the affected Liferay Portal or DXP versions are vulnerable to stored XSS by submitting crafted payloads and observing if the scripts are executed. There are no specific commands provided in the resources. A practical approach is to test these fields with typical XSS payloads (e.g., <script>alert(1)</script>) and monitor the web application behavior or use web vulnerability scanners that support stored XSS detection. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Liferay Portal to version 7.4.3.112 or later, or Liferay DXP to version 2024.Q1.1 or later, where the vulnerability has been fixed. Until the upgrade can be applied, restrict user input in the affected fields to disallow script tags or suspicious HTML, and apply web application firewall (WAF) rules to block malicious payloads targeting these fields. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart