2

CVE-2025-62255 Self-XSS with attachment file names in Knowledge Base

Description

Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal and Liferay DXP allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

Severity

2 (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions
  • Liferay DXP 2023.Q3.1 through 2023.Q3.5
  • Liferay DXP 7.4 GA through U92
  • Liferay DXP 7.3 GA through U34, and older unsupported versions

Fixed Version(s)

  • Liferay Portal 7.4.3.102
  • Liferay DXP 2023.Q3.6
  • Liferay DXP 7.3 U35

Publication Date: 

October 23, 2025

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!