CVE-2025-62267 is a cross-site scripting (XSS) vulnerability categorized under CWE-79, found in Liferay Portal versions 7.4.3.35 through 7.4.3.111 and Liferay DXP versions 2023.Q3.1 through 2023.Q4.10. The vulnerability resides in the web content template’s select structure page, specifically in the handling of user input fields for First Name, Middle Name, and Last Name. Attackers can craft malicious payloads injected into these fields, which are improperly neutralized during web page generation, allowing arbitrary HTML or JavaScript execution in the context of the victim’s browser. This flaw can be exploited remotely without authentication but requires user interaction, such as a victim viewing a maliciously crafted page or content that includes the injected script. The vulnerability impacts the confidentiality and integrity of user sessions and data by enabling script execution that could lead to session hijacking, defacement, or redirection to malicious sites. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H but likely a typo or misconfiguration since PR:H means high privileges required), user interaction required (UI:A), and low impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild as of the publication date. The vulnerability affects organizations using Liferay Portal for content management and web publishing, especially those exposing user-generated content or personal information fields. The lack of available patches at the time of reporting necessitates immediate mitigation strategies to reduce risk.

For European organizations, the impact of CVE-2025-62267 can be significant depending on their use of Liferay Portal or Liferay DXP for internal or external web content management. Exploitation could lead to unauthorized script execution in users’ browsers, resulting in session hijacking, credential theft, or unauthorized actions performed on behalf of users. This can compromise sensitive corporate or personal data, damage organizational reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed or manipulated. Public-facing portals or intranet sites with user input fields are particularly vulnerable, potentially affecting employees, partners, or customers. The medium severity rating reflects that while the vulnerability requires user interaction and does not directly compromise system availability, the confidentiality and integrity risks are non-trivial. European organizations with high reliance on Liferay for digital services should consider this vulnerability a priority to address, especially in sectors like finance, government, and healthcare where data sensitivity is paramount.

1. Apply official patches or updates from Liferay as soon as they become available to address CVE-2025-62267. 2. Implement strict input validation on all user input fields, especially those accepting names or other personal data, to reject or sanitize potentially malicious scripts. 3. Use context-aware output encoding (e.g., HTML entity encoding) when rendering user-supplied data in web pages to prevent script execution. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Limit the use of rich text or HTML input fields where possible, or sanitize inputs using robust libraries. 6. Conduct regular security audits and penetration testing focused on XSS vulnerabilities in web content management systems. 7. Educate users about the risks of interacting with suspicious links or content, reducing the likelihood of successful user interaction exploitation. 8. Monitor web application logs for unusual input patterns or error messages indicative of attempted XSS attacks. 9. Consider deploying Web Application Firewalls (WAFs) with rules targeting common XSS attack vectors as an additional layer of defense.