CVE-2025-62264: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability was discovered in Liferay Portal and DXP's Language Override feature, identified as CVE-2025-62264. The vulnerability affects Liferay Portal versions 7.4.3.8 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92. The vulnerability was reported by researcher argon21 and was publicly disclosed on October 31, 2025 (Liferay Advisory).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through the _com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId parameter in the Language Override feature. The vulnerability has been assigned a CVSS v4.0 base score of 5.1 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability can allow attackers to execute arbitrary web scripts or inject HTML in the context of other users' browsers when they interact with the affected parameter. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (AttackerKB).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112 and Liferay DXP version 2024.Q1.1. Organizations using affected versions should upgrade to these patched versions to mitigate the vulnerability (Liferay Advisory).