CVE-2025-62267

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.6MEDIUM

EPSS

0.0%

top 92.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Liferay Portal Liferay DXP Liferay Portal +1 more

Timeline

PublishedOct 31

Description

Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDliferay/liferay_portal7.4.3.35 — 7.4.3.112

▶Mavencom.liferay:com.liferay.dynamic.data.mapping.item.selector.web< 1.0.9

▶CVEListV5liferay/portal7.4.3.35 — 7.4.3.111

▶CVEListV5liferay/dxp7.4.13-u35 — 7.4.13-u92+2

▶NVDliferay/digital_experience_platform22 versions+21

🔴Vulnerability Details

OSV

Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page↗2025-10-31

▶

GHSA

Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page↗2025-10-31

▶

CVEList

CVE-2025-62267: Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7↗2025-10-31

▶