CVE-2025-62237: Liferay Portal Commerce is vulnerable to XSS through account "name" field

October 10, 2025 (updated November 10, 2025)

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

References

github.com/advisories/GHSA-m4g9-5mg6-gfr3
github.com/liferay/com-liferay-commerce
github.com/liferay/liferay-portal/commit/e6d49eda196676aa3fecb26f6a8ba100602d0c36
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62237
nvd.nist.gov/vuln/detail/CVE-2025-62237

Code Behaviors & Features

Detect and mitigate CVE-2025-62237 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →