CVE-2025-62267
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-31

Last updated on: 2025-11-10

Assigner: Liferay Inc.

Description
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-31
Last Modified
2025-11-10
Generated
2026-06-16
AI Q&A
2025-11-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62267
Affected Vendors & Products
Showing 71 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 2023.q3.1
liferay digital_experience_platform 2023.q3.2
liferay digital_experience_platform 2023.q3.3
liferay digital_experience_platform 2023.q3.4
liferay digital_experience_platform 2023.q3.5
liferay digital_experience_platform 2023.q3.6
liferay digital_experience_platform 2023.q3.7
liferay digital_experience_platform 2023.q3.8
liferay digital_experience_platform 2023.q3.9
liferay digital_experience_platform 2023.q3.10
liferay digital_experience_platform 2023.q4.0
liferay digital_experience_platform 2023.q4.1
liferay digital_experience_platform 2023.q4.2
liferay digital_experience_platform 2023.q4.3
liferay digital_experience_platform 2023.q4.4
liferay digital_experience_platform 2023.q4.5
liferay digital_experience_platform 2023.q4.6
liferay digital_experience_platform 2023.q4.7
liferay digital_experience_platform 2023.q4.8
liferay digital_experience_platform 2023.q4.9
liferay digital_experience_platform 2023.q4.10
liferay liferay_portal From 7.4.3.35 (inc) to 7.4.3.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62267 is a stored cross-site scripting (XSS) vulnerability in the web content template's select structure page of Liferay Portal and Liferay DXP. It allows remote attackers to inject arbitrary web scripts or HTML by submitting crafted payloads into the user's First Name, Middle Name, or Last Name text fields. This means malicious code can be stored and executed in the application when other users view the affected content. [1]

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of other users, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of the user. However, the CVSS score indicates that the impact on confidentiality and integrity is low, and availability is not affected. Exploitation requires high privileges and user interaction. [1]

Detection Guidance

Detection of this vulnerability involves checking if user input fields for First Name, Middle Name, or Last Name in the affected Liferay Portal or DXP versions are vulnerable to stored XSS by submitting crafted payloads and observing if the scripts are executed. There are no specific commands provided in the resources. A practical approach is to test these fields with typical XSS payloads (e.g., <script>alert(1)</script>) and monitor the web application behavior or use web vulnerability scanners that support stored XSS detection. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Liferay Portal to version 7.4.3.112 or later, or Liferay DXP to version 2024.Q1.1 or later, where the vulnerability has been fixed. Until the upgrade can be applied, restrict user input in the affected fields to disallow script tags or suspicious HTML, and apply web application firewall (WAF) rules to block malicious payloads targeting these fields. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62267. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart