CVE-2025-62248

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q2.0 through 2025.Q2.9 Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.19

Description A reflected cross-site scripting (XSS) issue exists due to a regression. A remote, authenticated attacker can inject and execute JavaScript code via the com liferay dynamic data mapping web portlet DDMPortlet definition parameter. The malicious payload is executed within the victim’s browser when they access a URL that includes the crafted parameter.

Recommendations Liferay Portal versions 7.4.0 through 7.4.3.132 should be updated. Liferay DXP versions 2025.Q2.0 through 2025.Q2.9 should be updated. Liferay DXP versions 2025.Q1.0 through 2025.Q1.16 should be updated. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 should be updated. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 should be updated. Liferay DXP versions 2024.Q2.1 through 2024.Q2.13 should be updated. Liferay DXP versions 2024.Q1.1 through 2024.Q1.19 should be updated.