CVE-2025-62238: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and DXP's Account Settings functionality. The vulnerability affects Liferay Portal versions 7.4.3.21 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92. The issue was reported by security researcher foobar7 and was published on September 13, 2024 (Liferay Advisory).

The vulnerability exists on the Membership page in Account Settings where authenticated users can inject arbitrary web script or HTML through a crafted payload in the Account's "Name" text field. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows remote authenticated attackers to inject malicious web scripts or HTML content through the Account Name field. This could potentially lead to the execution of unauthorized scripts in users' browsers, potentially compromising user sessions or leading to other client-side attacks (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.6, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).