CVE-2025-62246

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.8MEDIUM
EPSS
0.0%
top 91.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Liferay Digital Experience PlatformLiferay Liferay PortalLiferay DXP+1 more
Timeline
PublishedOct 13

Description

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media doc

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

NVDliferay/liferay_portal7.1.07.4.3.112
CVEListV5liferay/portal7.4.07.4.3.111
NVDliferay/digital_experience_platform2023.q3.12023.q3.9+2
CVEListV5liferay/dxp7.4.137.4.13-u92+2

🔴Vulnerability Details

3
GHSA
Liferay Mentions Web is Vulnerable to Cross-site Scripting2025-10-13
CVEList
CVE-2025-62246: Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 72025-10-13
OSV
Liferay Mentions Web is Vulnerable to Cross-site Scripting2025-10-13
CVE-2025-62246 (MEDIUM CVSS 4.8) | Multiple stored cross-site scriptin | cvebase.io