CVE-2025-62263 MEDIUM

CVE-2025-62263

Vendor Liferay

Product Portal

Weakness CWE-79 · XSS

Published October 27, 2025

Last update October 27, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field to (1) view account role page, or (2) select account role page. Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Organization’s “Name” text field to (1) view account page, (2) view account organization page, or (3) select account organization page.

Key dates

02Disclosure timeline

October 27, 2025 CVE published

October 27, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62263

Related vulnerabilities

Identifiers

CVE CVE-2025-62263

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Liferay

Product Portal

Affected ≥ 7.3.7 and ≤ 7.4.3.103

Vendor Liferay

Product DXP

Affected ≥ 7.3.10-sp3 and ≤ 7.3.10-u36

Vendor Liferay

Product DXP

Affected ≥ 7.4.13 and ≤ 7.4.13-u92

Vendor Liferay

Product DXP

Affected ≥ 2023.Q3.1 and ≤ 2023.Q3.4

CVE-2025-62263

01Description

02Disclosure timeline

03References

04Related CVE