Headline
GHSA-56jv-4ww3-65mw: Liferay Portal is vulnerable to XSS in the Blogs widget
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry’s “Content” text field.
The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-62265
Liferay Portal is vulnerable to XSS in the Blogs widget
Moderate severity GitHub Reviewed Published Oct 30, 2025 to the GitHub Advisory Database • Updated Oct 31, 2025
Package
maven com.liferay.portal:release.portal.bom (Maven)
Affected versions
>= 7.4.0-ga1, < 7.4.3.112-ga112
Patched versions
7.4.3.112-ga112
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted <iframe> injected into a blog entry’s “Content” text field.
The Blogs widget in Liferay DXP does not add the sandbox attribute to <iframe> elements, which allows remote attackers to access the parent page via scripts and links in the frame page.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-62265
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62265
Published to the GitHub Advisory Database
Oct 30, 2025
Last updated
Oct 31, 2025