CVE-2025-62264: 
Java Análise e mitigação de vulnerabilidades

Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId parameter. The vulnerability was discovered and reported by argon21 and was published on October 31, 2025 (Liferay Security).

The vulnerability has been assigned a CVSS v4.0 score of 5.1 MEDIUM with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability exists in the Language Override component and can be exploited through the selectedLanguageId parameter, allowing for reflected cross-site scripting attacks (Liferay Security).

The vulnerability allows remote attackers to inject malicious web scripts or HTML code through the application. This could potentially lead to client-side attacks against users of the affected Liferay installations (Liferay Security).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112 and Liferay DXP version 2024.Q1.1. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Security).