CVE-2025-62255 — Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowled

Description

Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

How to fix CVE-2025-62255

To remediate CVE-2025-62255, upgrade the affected package to a fixed version below.

—upgrade to 5.0.109 or later

Is CVE-2025-62255 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.109

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62255
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/46dd9b77cc2514761828d9b483a1dfe5d6e6b76d
WEBliferay.atlassian.net/browse/LPE-17842