CVE-2025-62249: 
Java vulnerability analysis and mitigation

CVE-2025-62249 is a reflected cross-site scripting (XSS) vulnerability discovered in Liferay Portal and Liferay DXP. The vulnerability was disclosed on May 8, 2025, affecting multiple versions of Liferay Portal (7.4.0 through 7.4.3.132) and Liferay DXP across various quarterly releases from 2023.Q4 through 2025.Q3 (Liferay Advisory).

The vulnerability allows remote non-authenticated attackers to inject JavaScript into the google_gadget component. The severity of this vulnerability has been assessed with a CVSS v4.0 score of 6.9 (Medium), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD Database).

The vulnerability can lead to the execution of malicious JavaScript code in users' browsers, potentially compromising user data and session information. The CVSS scoring indicates low impact on confidentiality, integrity, and availability, but presents potential security concerns for both system and user data (Liferay Advisory).

Liferay has released fixes for this vulnerability in multiple versions: Liferay Portal fixed on master branch, Liferay DXP 2025.Q3.3, Liferay DXP 2025.Q1.18, and Liferay DXP 2024.Q1.21. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).