CVE-2025-62237

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.3.8 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.8 Liferay DXP versions 2023.Q4.0 through 2023.Q4.5 Liferay Portal versions 7.4 update 8 through update 92

Description A stored cross-site scripting (XSS) issue exists in the view order page of Commerce within the affected software. This allows a remote attacker to inject arbitrary web script or HTML code by providing a crafted payload into the “Name” text field of an Account. The injected code can then be executed when other users view the order page.

Recommendations Liferay Portal version 7.4.3.112 or later should be used. Liferay DXP version 2023.Q3.9 or later should be used. Liferay DXP version 2023.Q4.6 or later should be used. Liferay Portal update 93 or later should be used.