CVE-2025-62246: 
Java vulnerability analysis and mitigation

Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in Liferay Portal 7.4.0 through 7.4.3.111 and Liferay DXP versions (2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92). The vulnerability, tracked as CVE-2025-62246, was discovered and reported by security researcher foobar7 and was publicly disclosed on November 6, 2024 (Liferay Security).

The vulnerability allows remote authenticated users to inject arbitrary web script or HTML through a crafted payload inserted into a user's first, middle or last name text field. The attack vector affects multiple components including page comments widget, blog entry comments, document and media document comments, message board messages, wiki page comments, and other widgets/apps that support mentions. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

The vulnerability can lead to stored cross-site scripting attacks, potentially allowing attackers to execute malicious scripts in users' browsers when viewing affected content. This could result in theft of sensitive information, session hijacking, or other client-side attacks (Liferay Security).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal version 7.4.3.112 or Liferay DXP versions 2024.Q1.1, 2023.Q4.6, or 2023.Q3.9 as appropriate (Liferay Security).