CVE-2025-62267: Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page

October 31, 2025 (updated November 15, 2025)

Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field.

References

github.com/advisories/GHSA-q285-wfpg-93hr
github.com/liferay/liferay-portal
liferay.atlassian.net/browse/LPE-17900
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62267
nvd.nist.gov/vuln/detail/CVE-2025-62267

Code Behaviors & Features

Detect and mitigate CVE-2025-62267 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →