CVE-2025-62237 in Liferay
Summary
by MITRE • 10/10/2025
Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/13/2025
The stored cross-site scripting vulnerability identified as CVE-2025-62237 represents a critical security flaw within the Liferay Portal platform affecting multiple versions including Liferay Portal 7.4.3.8 through 7.4.3.111 and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92. This vulnerability specifically targets the view order page functionality where user input is not properly sanitized or validated, creating an avenue for malicious actors to execute persistent XSS attacks. The flaw exists in the Account Name text field where attackers can inject crafted payloads that will be stored and subsequently executed when other users view the order page, making this a particularly dangerous vulnerability as the malicious code persists beyond the initial injection point.
The technical exploitation of this vulnerability occurs through the improper handling of user input in the Account Name field within the Commerce module's view order page. When an attacker submits malicious content containing script tags or other executable code into the Name field, the application fails to adequately sanitize this input before rendering it in the user interface. This allows the stored payload to be executed in the context of other users' browsers, potentially enabling attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. The vulnerability is classified as a stored XSS issue under CWE-79 which specifically addresses improper neutralization of input during web page generation, making it particularly dangerous as the malicious content remains persistent in the application's database.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it can enable attackers to perform a wide range of malicious activities within the compromised environment. An attacker could potentially escalate privileges, access sensitive customer information, modify order details, or even gain administrative access to the portal if the application lacks proper access controls. The persistent nature of stored XSS means that every user who views the affected order page becomes a potential victim, creating a widespread impact across the user base. This vulnerability aligns with ATT&CK technique T1531 which focuses on Establishing Persistence through Web Shell or Script Injection, and T1059 which covers Command and Scripting Interpreter techniques. The attack surface is significant since any user with access to the Commerce module's order viewing functionality could be exposed to the malicious payload, potentially affecting thousands of users depending on the size of the deployment.
Organizations affected by this vulnerability should implement immediate mitigations including input validation and output encoding for all user-supplied data fields, particularly those used in high-privilege contexts. The recommended approach involves implementing proper sanitization of all input before storage and ensuring that all output is properly escaped to prevent script execution. Security patches should be applied immediately to all affected versions of Liferay Portal and DXP, with administrators monitoring for any signs of exploitation attempts. Additional protective measures include implementing content security policies, restricting user permissions where possible, and conducting thorough security audits of all input fields within the Commerce module. The vulnerability demonstrates the critical importance of proper input validation and output encoding in web applications, as highlighted by industry standards and best practices outlined in OWASP Top 10 and NIST cybersecurity guidelines. Organizations should also consider implementing intrusion detection systems to monitor for suspicious activity patterns that might indicate exploitation attempts of this type of vulnerability.