CVE-2025-62237 — Liferay Portal Commerce is vulnerable to XSS through account "name" field

描述

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

如何修補 CVE-2025-62237

要修補 CVE-2025-62237,請將受影響套件升級到下列已修補版本。

Maven/com.liferay.commerce:com.liferay.commerce.order.web—升級至 5.0.101 或更新版本

CVE-2025-62237 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 5.0.29, < 5.0.101

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62237
PATCHgithub.com/liferay/com-liferay-commerce
WEBgithub.com/liferay/liferay-portal/commit/e6d49eda196676aa3fecb26f6a8ba100602d0c36
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62237