Self Cross-site Scripting Vulnerability in Liferay Portal and DXP Products
CVE-2025-62255

2LOW

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 23 October 2025

What is CVE-2025-62255?

A self cross-site scripting (XSS) vulnerability has been identified in the Liferay Portal and DXP products. This vulnerability affects versions from 7.4.0 to 7.4.3.101 and older unsupported versions, as well as Liferay DXP versions 2023.Q3.1 to 2023.Q3.5. It allows remote attackers to exploit the flaw by injecting arbitrary web scripts or HTML code through a specially crafted payload in an attachment's filename on the Knowledge Base article edit page. This could potentially lead to unwanted actions executed in the context of the user’s browser, posing significant security risks.

Affected Version(s)

DXP 7.3.10 <= 7.3.10-u34

DXP 7.4.13 <= 7.4.13-u92

DXP 2023.Q3.1 <= 2023.Q3.5

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2025
Vulnerability Reserved
Oct 9, 2025

JSON