CVE-2025-62263

EUVD-2025-36346

27.10.2025, 20:15

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field to (1) view account role page, or (2) select account role page.

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Organization’s “Name” text field to (1) view account page, (2) view account organization page, or (3) select account organization page.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Affected Products (NVD)

Vendor	Product	Version
liferay	digital_experience_platform	7.3:service_pack_3
liferay	digital_experience_platform	7.3:update1
liferay	digital_experience_platform	7.3:update10
liferay	digital_experience_platform	7.3:update11
liferay	digital_experience_platform	7.3:update12
liferay	digital_experience_platform	7.3:update13
liferay	digital_experience_platform	7.3:update14
liferay	digital_experience_platform	7.3:update15
liferay	digital_experience_platform	7.3:update16
liferay	digital_experience_platform	7.3:update17
liferay	digital_experience_platform	7.3:update18
liferay	digital_experience_platform	7.3:update19
liferay	digital_experience_platform	7.3:update2
liferay	digital_experience_platform	7.3:update20
liferay	digital_experience_platform	7.3:update21
liferay	digital_experience_platform	7.3:update22
liferay	digital_experience_platform	7.3:update23
liferay	digital_experience_platform	7.3:update24
liferay	digital_experience_platform	7.3:update25
liferay	digital_experience_platform	7.3:update26
liferay	digital_experience_platform	7.3:update27
liferay	digital_experience_platform	7.3:update28
liferay	digital_experience_platform	7.3:update29
liferay	digital_experience_platform	7.3:update3
liferay	digital_experience_platform	7.3:update30
liferay	digital_experience_platform	7.3:update31
liferay	digital_experience_platform	7.3:update32
liferay	digital_experience_platform	7.3:update33
liferay	digital_experience_platform	7.3:update34
liferay	digital_experience_platform	7.3:update35
liferay	digital_experience_platform	7.3:update36
liferay	digital_experience_platform	7.3:update4
liferay	digital_experience_platform	7.3:update5
liferay	digital_experience_platform	7.3:update6
liferay	digital_experience_platform	7.3:update7
liferay	digital_experience_platform	7.3:update8
liferay	digital_experience_platform	7.3:update9
liferay	digital_experience_platform	7.4
liferay	digital_experience_platform	2023.q3.1:q3.1
liferay	digital_experience_platform	2023.q3.2:q3.2
liferay	digital_experience_platform	2023.q3.3:q3.3
liferay	digital_experience_platform	2023.q3.4:q3.4
liferay	liferay_portal	7.3.7 ≤ 𝑥 < 7.4.3.104

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62263