CVE-2025-62248
- Source
- https://cve.org/CVERecord?id=CVE-2025-62248
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62248.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-62248
- Aliases
- Published
- 2025-10-22T19:15:35.987Z
- Modified
- 2026-04-10T05:32:55.761539Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows a remote, authenticated attacker to inject and execute JavaScript code via the comliferaydynamicdatamappingwebportletDDMPortlet_definition parameter. The malicious payload is executed within the victim's browser when they access a URL that includes the crafted parameter.
- References
Affected packages
Git / github.com/liferay/liferay-portal
Affected versions
7.*
7.4.0-ga1
7.4.1-ga2
7.4.2-ga3
7.4.3.132-ga132
7.4.3.4-ga4
7.4.3.41-ga41
7.4.3.5-ga5
7.4.3.6-ga6
7.4.3.7-ga7
7.4.3.88-ga88
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "2024.q1.1"
},
{
"fixed": "2024.q1.20"
}
]
},
{
"events": [
{
"introduced": "2024.q2.0"
},
{
"last_affected": "2024.q2.13"
}
]
},
{
"events": [
{
"introduced": "2024.q3.1"
},
{
"last_affected": "2024.q3.13"
}
]
},
{
"events": [
{
"introduced": "2024.q4.0"
},
{
"last_affected": "2024.q4.7"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62248.json"