CVE-2025-62265: 
Java Análise e mitigação de vulnerabilidades

A Cross-site scripting (XSS) vulnerability was discovered in the Blogs widget of Liferay Portal and Liferay DXP, identified as CVE-2025-62265. The vulnerability was disclosed on November 5, 2024, affecting multiple versions of Liferay Portal (7.2.0 through 7.4.3.111) and Liferay DXP (2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4, 7.3, and older versions). The security researcher foobar7 reported this vulnerability (Liferay Security).

The vulnerability stems from the Blogs widget's failure to add the sandbox attribute to elements, enabling remote attackers to inject arbitrary web script or HTML through a crafted tag in a blog entry's "Content" text field. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N), indicating moderate severity (Liferay Security).

The vulnerability allows remote attackers to access the parent page via scripts and links in the frame page, potentially compromising the security of the web application and exposing users to cross-site scripting attacks (Liferay Security).

Liferay has addressed this vulnerability by releasing patched versions: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these fixed versions to mitigate the security risk (Liferay Security).