CVE-2025-62248
Essential information
- Published
- 22/10/2025 19:15
- Modified
- 22/10/2025 21:12
- Author
- —
- Creator
- —
- CVSS
- 4.8 MEDIUM (v3) 4.8 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- HIGH
- User interaction
- PASSIVE
- Confidentiality (V)
- LOW
- Confidentiality (S)
- LOW
- Integrity (V)
- NONE
- Integrity (S)
- NONE
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.
NVD status
- Status
- Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| liferay / liferay portal | cpe:2.3:a:liferay:liferay_portal:7.4.0-7.4.3.132:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2025.Q2.0-2025.Q2.9:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2025.Q1.0-2025.Q1.16:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2024.Q4.0-2024.Q4.7:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2024.Q3.1-2024.Q3.13:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2024.Q2.1-2024.Q2.13:*:*:*:*:*:*:* |
| liferay / liferay dxp | cpe:2.3:a:liferay:liferay_dxp:2024.Q1.1-2024.Q1.19:*:*:*:*:*:*:* |