CVE-2025-62265

by Fred · 30/10/2025

Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted injected into a blog entry’s “Content” text field </p> <p>The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.</p> <p>More information : <a href="https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62265">https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62265</a></p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-x"><a rel="nofollow noopener noreferrer" data-shared="sharing-x-724371" class="share-x sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=x" target="_blank" aria-labelledby="sharing-x-724371" > <span id="sharing-x-724371" hidden>Click to share on X (Opens in new window)</span> <span>X</span> </a></li><li class="share-bluesky"><a rel="nofollow noopener noreferrer" data-shared="sharing-bluesky-724371" class="share-bluesky sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=bluesky" target="_blank" aria-labelledby="sharing-bluesky-724371" > <span id="sharing-bluesky-724371" hidden>Click to share on Bluesky (Opens in new window)</span> <span>Bluesky</span> </a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-724371" class="share-facebook sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=facebook" target="_blank" aria-labelledby="sharing-facebook-724371" > <span id="sharing-facebook-724371" hidden>Click to share on Facebook (Opens in new window)</span> <span>Facebook</span> </a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-724371" class="share-linkedin sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=linkedin" target="_blank" aria-labelledby="sharing-linkedin-724371" > <span id="sharing-linkedin-724371" hidden>Click to share on LinkedIn (Opens in new window)</span> <span>LinkedIn</span> </a></li><li class="share-threads"><a rel="nofollow noopener noreferrer" data-shared="sharing-threads-724371" class="share-threads sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=threads" target="_blank" aria-labelledby="sharing-threads-724371" > <span id="sharing-threads-724371" hidden>Click to share on Threads (Opens in new window)</span> <span>Threads</span> </a></li><li class="share-mastodon"><a rel="nofollow noopener noreferrer" data-shared="sharing-mastodon-724371" class="share-mastodon sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2025-62265/?share=mastodon" target="_blank" aria-labelledby="sharing-mastodon-724371" > <span id="sharing-mastodon-724371" hidden>Click to share on Mastodon (Opens in new window)</span> <span>Mastodon</span> </a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Similar</em></h3> </div> <nav class="pagination group"> </nav> </div> <div class="clear"></div> </div> </div> </article> <div class="clear"></div> <p class="post-tags"><span>Tags:</span> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" rel="tag">Cybersecurity Alert</a></p> <section id="comments" class="themeform">  </section> </div> </main> <div class="sidebar s1 collapsed" data-position="left" data-layout="col-2cr" data-sb-id="s1"> <button class="sidebar-toggle" title="Expand Sidebar"><i class="fas sidebar-toggle-arrows"></i></button> <div class="sidebar-content"> <ul class="post-nav group"> <li class="next"><strong>Next story </strong><a href="https://security.nuyts.tech/cve-2025-3355/" rel="next"><i class="fas fa-chevron-right"></i><span>CVE-2025-3355</span></a></li> <li class="previous"><strong>Previous story </strong><a href="https://security.nuyts.tech/cve-2025-52180/" rel="prev"><i class="fas fa-chevron-left"></i><span>CVE-2025-52180</span></a></li> </ul> <div id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://security.nuyts.tech/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div> <div id="recent-posts-2" class="widget widget_recent_entries"> <h3 class="widget-title">Recent Posts</h3> <ul> <li> <a href="https://security.nuyts.tech/cve-2025-12180/">CVE-2025-12180</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12090/">CVE-2025-12090</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12038/">CVE-2025-12038</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11983/">CVE-2025-11983</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11740/">CVE-2025-11740</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11502/">CVE-2025-11502</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-5949/">CVE-2025-5949</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12118/">CVE-2025-12118</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11995/">CVE-2025-11995</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11927/">CVE-2025-11927</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11377/">CVE-2025-11377</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12367/">CVE-2025-12367</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11928/">CVE-2025-11928</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11833/">CVE-2025-11833</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-62275/">CVE-2025-62275</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11922/">CVE-2025-11922</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11920/">CVE-2025-11920</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11816/">CVE-2025-11816</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-11174/">CVE-2025-11174</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-62276/">CVE-2025-62276</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-12464/">CVE-2025-12464</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63563/">CVE-2025-63563</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63562/">CVE-2025-63562</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63561/">CVE-2025-63561</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-60711/">CVE-2025-60711</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-10693/">CVE-2025-10693</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-64349/">CVE-2025-64349</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-64348/">CVE-2025-64348</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63458/">CVE-2025-63458</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-63454/">CVE-2025-63454</a> </li> </ul> </div><div id="categories-2" class="widget widget_categories"><h3 class="widget-title">Categories</h3> <ul> <li class="cat-item cat-item-13"><a href="https://security.nuyts.tech/category/critical-cyberalert/">Critical cyberalert</a> </li> <li class="cat-item cat-item-2"><a href="https://security.nuyts.tech/category/vulnerabilities/">Vulnerabilities</a> </li> </ul> </div><div id="tag_cloud-2" class="widget widget_tag_cloud"><h3 class="widget-title">Tags</h3><div class="tagcloud"><a href="https://security.nuyts.tech/tag/cisa/" class="tag-cloud-link tag-link-18 tag-link-position-1" style="font-size: 8pt;" aria-label="CISA (1 item)">CISA</a> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" class="tag-cloud-link tag-link-3 tag-link-position-2" style="font-size: 22pt;" aria-label="Cybersecurity Alert (289,935 items)">Cybersecurity Alert</a> <a href="https://security.nuyts.tech/tag/shields-up/" class="tag-cloud-link tag-link-14 tag-link-position-3" style="font-size: 8pt;" aria-label="Shields Up (1 item)">Shields Up</a></div> </div> </div> </div> </div> </div> </div> </div> <footer id="footer"> <section class="container" id="footer-bottom"> <div class="container-inner"> <a id="back-to-top" href="#"><i class="fas fa-angle-up"></i></a> <div class="hu-pad group"> <div class="grid one-half"> <div id="copyright"> <p>© 1999-2025 <a href="https://www.nuyts.tech">NUYTSTECH</a>. All Rights Reserved. Use of the CVE (Common Vulnerabilities and Exposures) from this non-profit website are subject to the terms of use.</p> </div> </div> <div class="grid one-half last"> <ul class="social-links"><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Twitter-square" aria-label="Follow us on Twitter-square" href="https://twitter.com/NUYTSTECH" target="_blank" ><i class="fab fa-twitter-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Facebook" aria-label="Follow us on Facebook" href="https://www.facebook.com/nuytstech" target="_blank" ><i class="fab fa-facebook-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Instagram" aria-label="Follow us on Instagram" href="https://www.instagram.com/nuyts.tech/" target="_blank" ><i class="fab fa-instagram"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Tumblr" aria-label="Follow us on Tumblr" href="https://nuytstech.tumblr.com/" target="_blank" ><i class="fab fa-tumblr-square"></i></a></li></ul> </div> </div> </div> </section> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/hueman\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-BDBTK0NYFL"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-BDBTK0NYFL'); </script>  <script>  <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/security.nuyts.tech\/cve-2025-62265\/":724371}; </script> <script id="cookie-notice-front-js-before"> var cnArgs = {"ajaxUrl":"https:\/\/security.nuyts.tech\/wp-admin\/admin-ajax.php","nonce":"40544c93cf","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":true,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; </script> <script src="https://security.nuyts.tech/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.5.8" id="cookie-notice-front-js"></script> <script src="https://c0.wp.com/c/6.8.3/wp-includes/js/underscore.min.js" id="underscore-js"></script> <script id="hu-front-scripts-js-extra"> var HUParams = {"_disabled":[],"SmoothScroll":{"Enabled":false,"Options":{"touchpadSupport":false}},"centerAllImg":"1","timerOnScrollAllBrowsers":"1","extLinksStyle":"","extLinksTargetExt":"","extLinksSkipSelectors":{"classes":["btn","button"],"ids":[]},"imgSmartLoadEnabled":"","imgSmartLoadOpts":{"parentSelectors":[".container .content",".post-row",".container .sidebar","#footer","#header-widgets"],"opts":{"excludeImg":[".tc-holder-img"],"fadeIn_options":100,"threshold":0}},"goldenRatio":"1.618","gridGoldenRatioLimit":"350","sbStickyUserSettings":{"desktop":false,"mobile":false},"sidebarOneWidth":"340","sidebarTwoWidth":"260","isWPMobile":"","menuStickyUserSettings":{"desktop":"stick_up","mobile":"stick_up"},"mobileSubmenuExpandOnClick":"1","submenuTogglerIcon":"<i class=\"fas fa-angle-down\"><\/i>","isDevMode":"","ajaxUrl":"https:\/\/security.nuyts.tech\/?huajax=1","frontNonce":{"id":"HuFrontNonce","handle":"2964935c31"},"isWelcomeNoteOn":"","welcomeContent":"","i18n":{"collapsibleExpand":"Expand","collapsibleCollapse":"Collapse"},"deferFontAwesome":"","fontAwesomeUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/css\/font-awesome.min.css?3.7.27","mainScriptUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/js\/scripts.min.js?3.7.27","flexSliderNeeded":"","flexSliderOptions":{"is_rtl":false,"has_touch_support":true,"is_slideshow":false,"slideshow_speed":5000},"fitTextMap":{"single_post_title":{"selectors":".single h1.entry-title","minEm":1.375,"maxEm":2.62},"page_title":{"selectors":".page-title h1","minEm":1,"maxEm":1.3},"home_page_title":{"selectors":".home .page-title","minEm":1,"maxEm":1.2,"compression":2.5},"post_titles":{"selectors":".blog .post-title, .archive .post-title","minEm":1.375,"maxEm":1.475},"featured_post_titles":{"selectors":".featured .post-title","minEm":1.375,"maxEm":2.125},"comments":{"selectors":".commentlist li","minEm":0.8125,"maxEm":0.93,"compression":2.5},"entry":{"selectors":".entry","minEm":0.9375,"maxEm":1.125,"compression":2.5},"content_h1":{"selectors":".entry h1, .woocommerce div.product h1.product_title","minEm":1.7578125,"maxEm":2.671875},"content_h2":{"selectors":".entry h2","minEm":1.5234375,"maxEm":2.390625},"content_h3":{"selectors":".entry h3","minEm":1.40625,"maxEm":1.96875},"content_h4":{"selectors":".entry h4","minEm":1.2890625,"maxEm":1.6875},"content_h5":{"selectors":".entry h5","minEm":1.0546875,"maxEm":1.40625},"content_h6":{"selectors":".entry h6","minEm":0.9375,"maxEm":1.265625,"compression":2.5}},"userFontSize":"16","fitTextCompression":"1.5"}; </script> <script src="https://security.nuyts.tech/wp-content/themes/hueman/assets/front/js/scripts.min.js?ver=3.7.27" id="hu-front-scripts-js" defer></script> <script id="jetpack-stats-js-before"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"197793834\",\"post\":\"724371\",\"tz\":\"1\",\"srv\":\"security.nuyts.tech\",\"j\":\"1:15.1.1\"}") ]); _stq.push([ "clickTrackerInit", "197793834", "724371" ]); </script> <script src="https://stats.wp.com/e-202544.js" id="jetpack-stats-js" defer data-wp-strategy="defer"></script> <script id="sharing-js-js-extra"> var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; </script> <script src="https://c0.wp.com/p/jetpack/15.1.1/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script id="sharing-js-js-after"> var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-x' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-x' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomx', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-bluesky' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-bluesky' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcombluesky', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-threads' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-threads' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomthreads', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-mastodon' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-mastodon' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcommastodon', 'menubar=1,resizable=1,width=460,height=400' ); return false; } } ); } )(); </script>   <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(50,50,58,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><span id="cn-notice-buttons" class="cn-buttons-container"><button id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button" aria-label="Ok" style="background-color: #00a99d">Ok</button><button data-link-url="https://security.nuyts.tech/terms-of-use/privacy-policy/" data-link-target="_blank" id="cn-more-info" class="cn-more-info cn-button" aria-label="Privacy policy" style="background-color: #00a99d">Privacy policy</button></span><button id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" aria-label="No"></button></div> </div> </body> </html>