CVE-2025-62267
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
6.1
MEDIUM
CVSS 3.1
EPSS 0.03%
Description
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.
How to fix CVE-2025-62267
To remediate CVE-2025-62267, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.9 or later
Is CVE-2025-62267 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.0.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |