CVE-2025-62238: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and DXP's Account Settings feature. The vulnerability affects Liferay Portal versions 7.4.3.21 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92. The issue was discovered by security researcher foobar7 and was publicly disclosed on September 13, 2024 (Liferay Advisory).

The vulnerability exists on the Membership page in Account Settings where authenticated users can inject arbitrary web script or HTML through a crafted payload in the Account's "Name" text field. The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. This indicates that the vulnerability requires network access, low attack complexity, no attack requirements, low privileges, and active user interaction (NVD Database).

The vulnerability allows attackers to execute arbitrary web scripts or HTML in the context of other users' browsers who view the affected account name. This could potentially lead to theft of session tokens, credential theft, or other client-side attacks. The CVSS scoring indicates low impact on confidentiality and integrity, with no impact on availability (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112 and Liferay DXP versions 2024.Q1.1, 2023.Q4.6, and 2023.Q3.9. Organizations using affected versions should upgrade to the fixed versions to protect against this vulnerability (Liferay Advisory).