CVE-2025-62265

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.0%

top 91.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 30

Description

Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to elements…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDliferay/liferay_portal7.2.0 — 7.4.3.112

▶Mavencom.liferay.portal:release.portal.bom7.4.0-ga1 — 7.4.3.112-ga112

▶CVEListV5liferay/portal7.4.0 — 7.4.3.111

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+2

▶NVDliferay/digital_experience_platform7.4+19

🔴Vulnerability Details

CVEList

CVE-2025-62265: Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7↗2025-10-30

▶

OSV

Liferay Portal is vulnerable to XSS in the Blogs widget↗2025-10-30

▶

GHSA

Liferay Portal is vulnerable to XSS in the Blogs widget↗2025-10-30

▶