CVE-2025-62249 MEDIUM

CVE-2025-62249

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published October 21, 2025
Last update October 21, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 2023.Q4.0 through 2023.Q4.10 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

Key dates

02Disclosure timeline

October 21, 2025 CVE published
October 21, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24530 Alojapro Widget <= 1.1.15 - Authenticated Stored Cross-Site Scripting (XSS) CVE-2024-8499 Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.0.3 - Reflected Cross-Site Scripting via render_review_request_notice CVE-2023-3474 SimplePHPscripts Simple Blog URL Parameter preview.php cross site scripting CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title CVE-2024-7303 itsourcecode Online Blood Bank Management System Send Blood Request Page request.php cross site scripting