CVE-2025-62255: 
Java vulnerability analysis and mitigation

CVE-2025-62255 is a Self Cross-site scripting (XSS) vulnerability discovered in Liferay Portal and Liferay DXP platforms. The vulnerability was disclosed on October 23, 2025, affecting the edit Knowledge Base article page functionality. The affected versions include Liferay Portal 7.4.0 through 7.4.3.101 and older unsupported versions, as well as Liferay DXP 2023.Q3.1 through 2023.Q3.5, and Liferay DXP 7.4 GA through U92 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through a crafted payload injected into an attachment's filename on the Knowledge Base article edit page. The vulnerability has been assigned a CVSS v4.0 score with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating a low severity level. The attack requires network access, high attack complexity, and user interaction (NVD).

The vulnerability enables attackers to execute arbitrary web scripts or inject HTML code through manipulated attachment filenames, potentially leading to client-side attacks against users with access to the Knowledge Base article edit page (CERT-FR).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.102, Liferay DXP 2023.Q3.6, or Liferay DXP 7.3 U35 to mitigate the risk (Liferay Advisory).