CVE-2025-62248

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.0%

top 92.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 22

Description

A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition paramet…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5liferay/portal7.4.0 — 7.4.3.132

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶NVDliferay/digital_experience_platform2024.q1.1 — 2024.q1.20+3

▶CVEListV5liferay/dxp2024.Q1.1 — 2024.Q1.19+5

▶Mavencom.liferay:com.liferay.dynamic.data.mapping.web5.0.122

🔴Vulnerability Details

GHSA

Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)↗2025-10-22

▶

CVEList

CVE-2025-62248: A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7↗2025-10-22

▶

OSV

Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)↗2025-10-22

▶