Moderate severityNVD Advisory· Published Oct 10, 2025· Updated Oct 10, 2025

CVE-2025-62237

Description

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.commerce:com.liferay.commerce.order.webMaven	>= 5.0.29, < 5.0.101	5.0.101

Affected products

Liferay/Portalv5
Range: 7.4.3.8
Liferay/DXPv5
Range: 7.4.13-u8

Patches

e6d49eda1966

LPD-15231 Escape account name

https://github.com/liferay/liferay-portalStefano MottaJan 26, 2024via ghsa

commit

1 file changed · +1 −1

modules/apps/commerce/commerce-order-web/src/main/resources/META-INF/resources/commerce_order/general.jsp+1 −1 modified

@@ -143,7 +143,7 @@ CommerceOrder commerceOrder = commerceOrderEditDisplayContext.getCommerceOrder()
 								</span>
 							</c:when>
 							<c:otherwise>
-								<p class="mb-0"><%= accountEntry.getName() %></p>
+								<p class="mb-0" data-qa-id="commerce-order-account-entry-name"><%= HtmlUtil.escape(accountEntry.getName()) %></p>
 								<p class="mb-0">#<%= accountEntry.getAccountEntryId() %></p>
 							</c:otherwise>
 						</c:choose>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000