CVE-2025-62237 — Liferay Portal Commerce is vulnerable to XSS through account "name" field

Description

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

How to fix CVE-2025-62237

To remediate CVE-2025-62237, upgrade the affected package to a fixed version below.

Maven/com.liferay.commerce:com.liferay.commerce.order.web—upgrade to 5.0.101 or later

Is CVE-2025-62237 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.0.29, < 5.0.101

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62237
PATCHgithub.com/liferay/com-liferay-commerce
WEBgithub.com/liferay/liferay-portal/commit/e6d49eda196676aa3fecb26f6a8ba100602d0c36
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62237