Reflected XSS Vulnerability in Liferay Portal and Liferay DXP
CVE-2025-62248

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 22 October 2025

What is CVE-2025-62248?

A reflected cross-site scripting (XSS) vulnerability has been detected in multiple versions of Liferay Portal and Liferay DXP. This issue arises from a regression that enables remote, authenticated attackers to inject malicious JavaScript code through a crafted parameter. When a victim accesses a specially constructed URL containing the harmful input, the malicious payload gets executed in their browser, potentially leading to unauthorized access and manipulation of sensitive user data.

Affected Version(s)

DXP 2024.Q1.1 <= 2024.Q1.19

DXP 2024.Q2.1 <= 2024.Q2.13

DXP 2024.Q3.1 <= 2024.Q3.13

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 9, 2025

JSON