Liferay DXP/Portal Calendar Event XSS Vulnerability (CVE-2025-62240)

Critical Vulnerability Information CVE-2025-62240 XSS with user name in calendar event Description Multiple cross-site scripting (XSS) vulnerabilities in Liferay DXP's Calendar events allow remote attackers to inject arbitrary web scripts or HTML by crafting a payload inserted into a user's (1) First Name, (2) Middle Name, or (3) Last Name text fields. Severity 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/Vi:L/VA:N/SC:N/SI:N/SA:N) Affected Versions Liferay Portal 7.4.3.35 through 7.4.3.111 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.7 Liferay DXP 7.4 Update 35 through Update 92 Liferay DXP 7.3 Update 25 through Update 36 Fixed Versions Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.6 Liferay DXP 2023.Q3.8 Acknowledgments This issue was reported by foobar7 Publication Date Fri, 13 Sep 2024 13:49:00 +0000

Goal Reached Thanks to every supporter — we hit 100%!

Liferay DXP/Portal Calendar Event XSS Vulnerability (CVE-2025-62240)