CVE-2025-62239: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in the workflow process builder component of Liferay Portal and DXP platforms. The vulnerability affects multiple versions including Liferay Portal 7.4.3.21 through 7.4.3.111, Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92. The issue was reported by security researcher foobar7 and was publicly disclosed on September 13, 2024 (Liferay Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v4.0 score of 4.6 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability specifically exists in the workflow process builder component, where input validation for workflow definitions is insufficient (NVD Database).

The vulnerability allows remote authenticated attackers to inject arbitrary web script or HTML through crafted input in workflow definitions. This could potentially lead to the execution of malicious scripts in the context of other users' browsers who access the affected workflow definitions (Liferay Advisory).

Liferay has released fixed versions to address this vulnerability: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.6, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Liferay Advisory).