Moderate severityNVD Advisory· Published Oct 27, 2025· Updated Oct 27, 2025
CVE-2025-62263
CVE-2025-62263
Description
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account Role’s “Title” text field to (1) view account role page, or (2) select account role page.
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 service pack 3 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Organization’s “Name” text field to (1) view account page, (2) view account organization page, or (3) select account organization page.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.account.admin.webMaven | >= 2.0.0, < 2.0.108 | 2.0.108 |
Affected products
2- Liferay/DXPv5Range: 7.3.10-sp3
Patches
213571a47fd59LPS-199518 Add functional test
1 file changed · +77 −0
modules/apps/account/account-test/src/testFunctional/tests/Account.testcase+77 −0 modified@@ -3618,6 +3618,83 @@ definition { } } + @description = "Automation for LPS-199518. This ticket is about XSS. Role and Organization data should be escaped and rendered as a string." + @priority = 5 + test CanViewRoleAndOrganizationsPrintedAsScript { + property portal.acceptance = "true"; + + task ("Given an account with a Role as a script and an user") { + JSONAccountEntry.addAccountEntry( + accountEntryName = "A1", + accountEntryType = "Business"); + + Account.openAccountsAdmin(); + + LexiconEntry.gotoEntry(rowEntry = "A1"); + + var scriptRole = '''My title<script>confirm("compromised")</script>'''; + var scriptOrg = '''My org1<script>confirm("compromised")</script>'''; + + Account.addOwnedAccountRole(accountRoleTitle = ${scriptRole}); + + Account.openAccountsAdmin(); + + JSONUser.addUser( + userEmailAddress = "U1@liferay.com", + userFirstName = "U1fn", + userLastName = "U1ln", + userScreenName = "U1sn"); + } + + task ("And assign the user to the new account and a role") { + LexiconEntry.gotoEntry(rowEntry = "A1"); + + Account.assignUsers( + accountName = "A1", + assigneeName = "U1fn"); + + Account.addAssigneeToRoleViaUsersTab( + accountRoleTitle = ${scriptRole}, + accountUserName = "U1fn U1ln"); + } + + task ("Then check that the Account role is rendered as a string") { + AssertTextEquals( + key_columnName = "lfr-account-roles-column", + key_rowEntry = "U1fn U1ln", + locator1 = "ContentRow#ENTRY_CONTENT_ROW_NUMBER_TD", + value1 = ${scriptRole}); + } + + task ("And given a new organization with a title as a script") { + JSONOrganization.addOrganization(organizationName = ${scriptOrg}); + } + + task ("And add the organization to the new account") { + Account.openAccountsAdmin(); + + LexiconEntry.gotoEntry(rowEntry = "A1"); + + Account.assignOrganizations( + accountName = "A1", + assigneeName = ${scriptOrg}); + } + + task ("Then check that the Organizations name assigned to the new account is rendered as a script") { + Account.openAccountsAdmin(); + + AssertTextEquals( + key_columnName = "lfr-organizations-column", + key_rowEntry = "A1", + locator1 = "ContentRow#ENTRY_CONTENT_ROW_NUMBER_TD", + value1 = ${scriptOrg}); + } + + JSONUser.tearDownNonAdminUsers(); + + Organization.tearDownCP(orgName = ${scriptOrg}); + } + @description = "This tests canceling account creation will not save it." @priority = 4 test ClickingCancelOrBackWillNotSaveAccount {
842c142d87d0LPS-199518 Escape before displaying
5 files changed · +9 −9
modules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/account_entry/view_account_organizations.jsp+2 −2 modified@@ -41,13 +41,13 @@ renderResponse.setTitle(accountEntryDisplay.getName()); <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="name" - property="name" + value="<%= HtmlUtil.escape(accountOrganization.getName()) %>" /> <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="parent-organization" - property="parentOrganizationName" + value="<%= HtmlUtil.escape(accountOrganization.getParentOrganizationName()) %>" /> <c:if test="<%= AccountEntryPermission.contains(permissionChecker, accountEntryDisplay.getAccountEntryId(), AccountActionKeys.MANAGE_ORGANIZATIONS) %>">
modules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/account_entry/view_account_roles.jsp+2 −2 modified@@ -62,14 +62,14 @@ renderResponse.setTitle(accountEntryDisplay.getName()); cssClass="table-cell-expand-small table-cell-minw-150" href="<%= rowURL %>" name="name" - value="<%= accountRoleDisplay.getName(locale) %>" + value="<%= HtmlUtil.escape(accountRoleDisplay.getName(locale)) %>" /> <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" href="<%= rowURL %>" name="description" - value="<%= accountRoleDisplay.getDescription(locale) %>" + value="<%= HtmlUtil.escape(accountRoleDisplay.getDescription(locale)) %>" /> <liferay-ui:search-container-column-text
modules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/select_account_organizations.jsp+2 −2 modified@@ -29,13 +29,13 @@ SearchContainer<Organization> organizationSearchContainer = AssignableAccountOrg <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="name" - property="name" + value="<%= HtmlUtil.escape(organization.getName()) %>" /> <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="parent-organization" - property="parentOrganizationName" + value="<%= HtmlUtil.escape(organization.getParentOrganizationName()) %>" /> </liferay-ui:search-container-row>
modules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/select_account_roles.jsp+2 −2 modified@@ -30,13 +30,13 @@ accountRoleDisplaySearchContainer.setRowChecker(new SelectAccountUserAccountRole <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="name" - value="<%= accountRole.getName(locale) %>" + value="<%= HtmlUtil.escape(accountRole.getName(locale)) %>" /> <liferay-ui:search-container-column-text cssClass="table-cell-expand-small table-cell-minw-150" name="description" - value="<%= accountRole.getDescription(locale) %>" + value="<%= HtmlUtil.escape(accountRole.getDescription(locale)) %>" /> </liferay-ui:search-container-row>
modules/apps/account/account-admin-web/src/main/resources/META-INF/resources/account_entries_admin/view.jsp+1 −1 modified@@ -68,7 +68,7 @@ ViewAccountEntriesManagementToolbarDisplayContext viewAccountEntriesManagementTo cssClass="table-cell-expand" href="<%= rowURL %>" name="organizations" - property="organizationNames" + value="<%= HtmlUtil.escape(accountEntryDisplay.getOrganizationNames()) %>" /> <liferay-ui:search-container-column-text
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
6- github.com/advisories/GHSA-8mgf-rgg5-w38qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62263ghsaADVISORY
- github.com/liferay/liferay-portal/commit/13571a47fd59dcb5f52d938df82960b3421b51b2ghsaWEB
- github.com/liferay/liferay-portal/commit/842c142d87d0187ea2af19ee79dd1694fd46d72bghsaWEB
- liferay.atlassian.net/browse/LPE-17861ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62263ghsaWEB
News mentions
0No linked articles in our index yet.