{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-62255","assignerOrgId":"8b54e794-c6f0-462e-9faa-c1001a673ac3","state":"PUBLISHED","assignerShortName":"Liferay","dateReserved":"2025-10-09T20:58:51.717Z","datePublished":"2025-10-23T18:47:18.827Z","dateUpdated":"2025-10-23T18:59:11.371Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Portal","vendor":"Liferay","versions":[{"lessThanOrEqual":"7.4.3.101","status":"affected","version":"7.4.0","versionType":"maven"}]},{"defaultStatus":"unaffected","product":"DXP","vendor":"Liferay","versions":[{"lessThanOrEqual":"7.3.10-u34","status":"affected","version":"7.3.10","versionType":"maven"},{"lessThanOrEqual":"7.4.13-u92","status":"affected","version":"7.4.13","versionType":"maven"},{"lessThanOrEqual":"2023.Q3.5","status":"affected","version":"2023.Q3.1","versionType":"maven"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions  allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename."}],"value":"Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions  allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"HIGH","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":2,"baseSeverity":"LOW","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8b54e794-c6f0-462e-9faa-c1001a673ac3","shortName":"Liferay","dateUpdated":"2025-10-23T18:47:18.827Z"},"references":[{"url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62255"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-10-23T18:59:03.206383Z","id":"CVE-2025-62255","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-23T18:59:11.371Z"}}]}}