CVE-2025-62237 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, impacting Liferay Portal versions 7.4.3.8 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92. The vulnerability resides in the Commerce module's view order page, specifically in the handling of the Account's 'Name' text field. An attacker with low privileges can inject crafted malicious payloads into this field, which are then stored and rendered without proper neutralization or sanitization. When other users view the affected page, the injected script executes in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions within the portal. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:A), and limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:N). No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where multiple users access the portal and sensitive data is handled. The lack of patches at the time of reporting necessitates immediate attention to input validation and output encoding controls to mitigate risk.

For European organizations, especially those relying on Liferay Portal or DXP for e-commerce or internal portals, this vulnerability can lead to significant security risks. Successful exploitation could allow attackers to execute arbitrary JavaScript in the browsers of portal users, potentially resulting in session hijacking, theft of sensitive information, unauthorized transactions, or defacement of web content. This could undermine user trust, lead to data breaches involving personal or financial data, and cause regulatory compliance issues under GDPR. The medium severity reflects moderate impact, but the widespread use of Liferay in sectors such as government, finance, and retail across Europe elevates the potential consequences. Additionally, attackers could leverage this vulnerability as a foothold for further attacks within the network. The requirement for user interaction limits automated exploitation but does not eliminate risk in environments with many users or where social engineering is feasible.

European organizations should prioritize the following mitigations: 1) Monitor Liferay’s official channels for patches addressing CVE-2025-62237 and apply them promptly once available. 2) Implement strict input validation on the Account 'Name' field to reject or sanitize potentially malicious input before storage. 3) Employ robust output encoding/escaping mechanisms on all user-supplied content rendered in the Commerce view order page to prevent script execution. 4) Utilize Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5) Conduct regular security audits and penetration testing focusing on XSS vulnerabilities in portal components. 6) Educate users about phishing and social engineering risks to reduce the likelihood of user interaction enabling exploitation. 7) Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attack patterns specific to Liferay’s Commerce module. These measures combined will reduce the attack surface and mitigate exploitation risks until vendor patches are applied.