CVE-2025-62239: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in the workflow process builder component of Liferay Portal and DXP platforms. The vulnerability affects multiple versions including Liferay Portal 7.4.3.21 through 7.4.3.111, Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92. The issue was reported by security researcher foobar7 and was publicly disclosed on September 13, 2024 (Liferay Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v4.0 score of 4.6 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The technical assessment indicates that the vulnerability requires network access (AV:N), has low attack complexity (AC:L), requires high privileges (PR:H), and user interaction (UI:A) (NVD).

The vulnerability allows remote authenticated attackers to inject arbitrary web script or HTML through crafted input in workflow definitions. The impact is considered moderate, with low potential for both confidentiality and integrity breaches, as indicated by the CVSS metrics (Liferay Advisory).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.6, and Liferay DXP 2023.Q3.9. Users are advised to upgrade to these patched versions (Liferay Advisory).