CVE-2025-62265: 
Java vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability was discovered in the Blogs widget of Liferay Portal and Liferay DXP, identified as CVE-2025-62265. The vulnerability affects multiple versions including Liferay Portal 7.4.0 through 7.4.3.111 and Liferay DXP versions spanning from 2023.Q3.1 through 2023.Q4.10. The issue was publicly disclosed on November 5, 2024, and was reported by security researcher foobar7 (Liferay Advisory).

The vulnerability stems from improper handling of iframe elements in the Blogs widget. Specifically, the widget fails to add the sandbox attribute to iframe elements, which creates a security weakness. The vulnerability has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The severity has been assessed with a CVSS 4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, and a CVSS 3.1 score of 5.4 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Liferay Advisory, NVD).

The vulnerability allows remote attackers to inject arbitrary web script or HTML through a crafted iframe injected into a blog entry's Content text field. Additionally, due to the missing sandbox attribute, attackers can access the parent page via scripts and links in the frame page (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, or Liferay DXP 2023.Q3.9 to mitigate the issue (Liferay Advisory).