CVE-2025-62263 Stored XSS with account role and organization name

Description

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field to (1) view account role page, or (2) select account role page.

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal and Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Organization’s “Name” text field to (1) view account page, (2) view account organization page, or (3) select account organization page.

Severity

4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.3.7 through 7.4.3.92
Liferay DXP 2023.Q3.1 through 2023.Q3.4
Liferay DXP 7.4
Liferay DXP 7.3 SP3 through U36

Fixed Version(s)

Liferay Portal 7.4.3.104
Liferay DXP 2024.Q1.1
Liferay DXP 2023.Q4.0
Liferay DXP 2023.Q3.5

Publication date: Mon, 27 Oct 2025 07:31:00 +0000

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)