CVE-2025-62239

Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.

Published: Oct 10, 2025
Updated: Oct 11, 2025
CVE: CVE-2025-62239
GHSA: GHSA-xcvw-hh99-qm73
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.portal.workflow.kaleo.designer.web	5.0.56	5.0.124

https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/3acad2d8683688ce022abf2dfbab9fb500c5a619
https://liferay.atlassian.net/browse/LPE-17919
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62239

Vulnerability Database

CVE-2025-62239

Deep Security Visibility Without the Complexity