Description

Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's “Name“ text field.

Remediation

References

CVE-2025-62238

Related Vulnerabilities

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-35480)

Oracle Database Server Other Vulnerability (CVE-2007-5513)

IBM RTC Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-29673)

WordPress Plugin EU Cookie Law for GDPR/CCPA Cross-Site Scripting (3.1.6)

WordPress Plugin CMP-Coming Soon & Maintenance by NiteoThemes Security Bypass (3.8.1)

Severity

Medium

Classification

CVE-2025-62238 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities