CVE-2025-62264 is a reflected cross-site scripting (XSS) vulnerability identified in the Language Override functionality of Liferay Portal and Liferay DXP products. The vulnerability exists due to improper neutralization of user-supplied input in the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId parameter, which is used during web page generation. This flaw allows remote attackers to craft malicious URLs containing arbitrary JavaScript or HTML code that, when visited by a victim, executes in the context of the vulnerable web application. The affected versions include Liferay Portal 7.4.3.8 through 7.4.3.111 and Liferay DXP releases from 2023 Q3.1 through Q3.10 and 2023 Q4.0 through Q4.10, as well as 7.4 update 4 through update 92. The vulnerability does not require authentication, making it accessible to unauthenticated attackers, but it does require user interaction (clicking a malicious link). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on confidentiality and integrity, with no impact on availability. Although no known exploits have been reported in the wild, the vulnerability could be leveraged for session hijacking, credential theft, or delivering malicious payloads via social engineering. The root cause is a failure to properly sanitize or encode input before reflecting it in the web page output, a classic CWE-79 issue. Organizations using affected Liferay versions should monitor for updates and patches from the vendor and consider interim mitigations.

For European organizations, the impact of CVE-2025-62264 primarily concerns the confidentiality and integrity of user sessions and data accessed via Liferay portals. Exploitation could enable attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, theft of sensitive information, or redirection to malicious sites. This is particularly critical for organizations that use Liferay portals for customer or employee access to sensitive services, such as government agencies, financial institutions, healthcare providers, and large enterprises. Public-facing portals increase exposure risk, as attackers can lure users into clicking crafted URLs. While the vulnerability does not affect availability directly, the resulting compromise of user accounts or data could lead to reputational damage, regulatory penalties under GDPR, and operational disruptions. The medium severity score reflects moderate risk, but the ease of exploitation without authentication and the widespread use of Liferay in Europe elevate the threat. Organizations with high-value targets or sensitive data should treat this vulnerability seriously and act promptly.

1. Apply official patches or updates from Liferay as soon as they become available to address the vulnerability directly. 2. In the absence of patches, implement strict input validation and output encoding on the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId parameter to neutralize malicious scripts. 3. Deploy or tune Web Application Firewalls (WAFs) to detect and block suspicious requests containing script injection attempts targeting this parameter. 4. Conduct user awareness training to educate users about the risks of clicking unknown or suspicious links, especially those purporting to change language settings or similar features. 5. Review and restrict the exposure of Liferay portals to only necessary user groups and networks, employing network segmentation and access controls. 6. Monitor web server and application logs for unusual request patterns or error messages related to the vulnerable parameter. 7. Consider implementing Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 8. Regularly audit and test web applications for XSS vulnerabilities using automated scanners and manual penetration testing.