CVE-2025-62255: 
Java vulnerability analysis and mitigation

A Self Cross-site scripting (XSS) vulnerability (CVE-2025-62255) was discovered in Liferay Portal and Liferay DXP's Knowledge Base article edit page. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.101 and older unsupported versions, as well as Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, and 7.4 GA through update 92. The vulnerability was disclosed on October 23, 2025 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through a crafted payload injected into an attachment's filename on the Knowledge Base article edit page. The vulnerability has been assigned a CVSS v4.0 score of 2.0 (Low) with the vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability could allow attackers to execute arbitrary web scripts or HTML in the context of other users' browsers when they view the maliciously crafted attachment filename on the Knowledge Base article edit page. Due to the self-XSS nature of the vulnerability and the requirement for user interaction, the impact is considered low (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.102, Liferay DXP version 2023.Q3.6, and Liferay DXP 7.3 U35. Users are advised to upgrade to these or later versions to address the vulnerability (Liferay Advisory).