CVE-2025-62237
published 2025-10-10CVE-2025-62237: Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through…
medium4.8CVSS 4.0
AVNACLATNPRLUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| liferay | digital_experience_platform | — | — |
| liferay | digital_experience_platform | >= 2023.q3.1 < 2023.q3.9 | 2023.q3.9 |
| liferay | digital_experience_platform | >= 2023.q4.0 < 2023.q4.6 | 2023.q4.6 |
| liferay | dxp | 2023.Q3.1 – 2023.Q3.8 | — |
| liferay | dxp | 2023.Q4.0 – 2023.Q4.5 | — |
| liferay | dxp | 7.4.13-u8 – 7.4.13-u92 | — |
| liferay | liferay_portal | >= 7.4.3.8 < 7.4.3.112 | 7.4.3.112 |
| liferay | portal | 7.4.3.8 – 7.4.3.111 | — |