Stored XSS in Liferay Portal 7.4.3.8-7.4.3.111 Order View
CVE-2025-62237 Published on October 10, 2025
Stored cross-site scripting (XSS) vulnerability in Commerces view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Accounts Name text field.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-62237 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-62237
stack.watch emails you whenever new vulnerabilities are published in Liferay Portal or Liferay Digital Experience Platform. Just hit a watch button to start following.
Affected Versions
Liferay Portal:- Version 7.4.3.8, <= 7.4.3.111 is affected.
- Version 7.4.13-u8, <= 7.4.13-u92 is affected.
- Version 2023.Q3.1, <= 2023.Q3.8 is affected.
- Version 2023.Q4.0, <= 2023.Q4.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.