Stored Cross-Site Scripting Vulnerabilities in Liferay Portal and DXP
CVE-2025-62246

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 13 October 2025

What is CVE-2025-62246?

Multiple stored cross-site scripting (XSS) vulnerabilities exist in various versions of Liferay Portal and Liferay DXP. These vulnerabilities can be exploited by remote authenticated users, enabling them to inject arbitrary web scripts or HTML through crafted payloads inserted into user fields such as first, middle, or last names. The affected integration points include page comments, blog entry comments, document media comments, message board messages, and wiki page comments, among others. This issue underscores the importance of secure input validation to prevent malicious scripts from executing in the web application.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u92

DXP 2023.Q3.1 <= 2023.Q3.8

DXP 2023.Q4.0 <= 2023.Q4.5

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 13, 2025
Vulnerability Reserved
Oct 9, 2025

Credit

foobar7

JSON