Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.
PUBLISHED5.2CWE-79
Problem type
Affected products
Liferay
Portal
<= 7.4.3.111 - AFFECTED
DXP
<= 7.4.13-u92 - AFFECTED
<= 2023.Q3.10 - AFFECTED
<= 2023.Q4.10 - AFFECTED
References
JSON source
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2025-62264",
"assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"assignerShortName": "Liferay",
"dateUpdated": "2025-10-31T17:52:36.076Z",
"dateReserved": "2025-10-09T20:58:53.012Z",
"datePublished": "2025-10-31T17:32:01.861Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
"shortName": "Liferay",
"dateUpdated": "2025-10-31T17:32:01.861Z"
},
"descriptions": [
{
"lang": "en",
"value": "Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter."
}
]
}
],
"affected": [
{
"vendor": "Liferay",
"product": "Portal",
"defaultStatus": "unaffected",
"versions": [
{
"version": "7.4.3.8",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "7.4.3.111"
}
]
},
{
"vendor": "Liferay",
"product": "DXP",
"defaultStatus": "unaffected",
"versions": [
{
"version": "7.4.13-u4",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "7.4.13-u92"
},
{
"version": "2023.Q3.1",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "2023.Q3.10"
},
{
"version": "2023.Q4.0",
"status": "affected",
"versionType": "maven",
"lessThanOrEqual": "2023.Q4.10"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62264"
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "argon21",
"type": "reporter"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2025-10-31T17:52:36.076Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}