CVE-2025-62255

Summary

Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.101affected
LiferayDXP7.3.10 <= 7.3.10-u34affected
LiferayDXP7.4.13 <= 7.4.13-u92affected
LiferayDXP2023.Q3.1 <= 2023.Q3.5affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References