CVE-2025-62249 Reflected XSS in google_widget

Description

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal and Liferay DXP allows an remote non-authenticated attacker to inject JavaScript into the google_gadget.

Severity

6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.132
Liferay DXP 2025.Q3.0 through 2025.Q3.2
Liferay DXP 2025.Q2.0 through 2025.Q2.12
Liferay DXP 2025.Q1.0 through 2025.Q1.17
Liferay DXP 2024.Q4.0 through 2024.Q4.7
Liferay DXP 2024.Q3.1 through 2024.Q3.13
Liferay DXP 2024.Q2.0 through 2024.Q2.13
Liferay DXP 2024.Q1.1 through 2024.Q1.20
Liferay DXP 2023.Q4.0 through 2023.Q4.10

Fixed Version(s)

Liferay Portal fixed on master branch
Liferay DXP 2025.Q3.3
Liferay DXP 2025.Q1.0 through 2025.Q1.18
Liferay DXP 2024.Q1.1 through 2024.Q1.21

Publication date: Thu, 08 May 2025 17:23:00 +0000

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)