{"id":"CVE-2025-62265","details":"Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted \u003ciframe\u003e injected into a blog entry's “Content” text field \n\nThe Blogs widget in Liferay DXP does not add the sandbox attribute to \u003ciframe\u003e elements, which allows remote attackers to access the parent page via scripts and links in the frame page.","aliases":["GHSA-56jv-4ww3-65mw"],"modified":"2026-04-02T12:57:43.898853Z","published":"2025-10-30T19:16:35.490Z","references":[{"type":"ADVISORY","url":"https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62265"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/liferay/liferay-portal","events":[{"introduced":"0"},{"fixed":"b8c35409971bf2f43bb7e28bd1638daab05ce6fa"}],"database_specific":{"versions":[{"introduced":"7.2.0"},{"fixed":"7.4.3.112"}]}}],"versions":["6.1.0-b1","6.1.0-b2","6.1.0-b3","6.1.0-b4","6.1.0-ga1","6.1.0-rc1","6.1.1-ga2","6.1.2-ga3","6.2.0-b1","6.2.0-b2","6.2.0-ga1","6.2.0-m1","6.2.0-m2","6.2.0-m3","6.2.0-m4","6.2.0-m5","6.2.0-m6","6.2.0-rc1","6.2.0-rc2","6.2.0-rc3","6.2.0-rc4","6.2.0-rc5","6.2.0-rc6","6.2.1-ga2","6.2.2-ga3","6.2.3-ga4","6.2.4-ga5","6.2.5-ga6","7.0.0-a1","7.0.0-a2","7.0.0-a3","7.0.0-a4","7.0.0-a5","7.0.0-b1","7.0.0-b2","7.0.0-b3","7.0.0-b4","7.0.0-b5","7.0.0-b6","7.0.0-b7","7.0.0-ga1","7.0.0-m1","7.0.0-m2","7.0.0-m3","7.0.0-m4","7.0.0-m5","7.0.0-m6","7.0.0-m7","7.0.1-ga2","7.0.2-ga3","7.0.3-ga4","7.0.4-ga5","7.0.5-ga6","7.0.6-ga7","7.1.0-a1","7.1.0-a2","7.1.0-b1","7.1.0-b2","7.1.0-b3","7.1.0-ga1","7.1.0-m1","7.1.0-m2","7.1.0-rc1","7.1.1-ga2","7.1.2-ga3","7.1.3-ga4","7.2.0-a1","7.2.0-b1","7.2.0-b2","7.2.0-b3","7.2.0-ga1","7.2.0-m2","7.2.0-rc2","7.2.0-rc3","7.2.1-ga2","7.3.0-ga1","7.3.1-ga2","7.3.2-ga3","7.3.3-ga4","7.3.4-ga5","7.3.5-ga6","7.3.6-ga7","7.3.7-ga8","7.4.0-ga1","7.4.1-ga2","7.4.2-ga3","7.4.3.10-ga10","7.4.3.100-ga100","7.4.3.101-ga101","7.4.3.102-ga102","7.4.3.103-ga103","7.4.3.104-ga104","7.4.3.105-ga105","7.4.3.106-ga106","7.4.3.107-ga107","7.4.3.108-ga108","7.4.3.109-ga109","7.4.3.11-ga11","7.4.3.110-ga110","7.4.3.111-ga111","7.4.3.113-ga113","7.4.3.114-ga114","7.4.3.115-ga115","7.4.3.116-ga116","7.4.3.117-ga117","7.4.3.118-ga118","7.4.3.119-ga119","7.4.3.12-ga12","7.4.3.120-ga120","7.4.3.121-ga121","7.4.3.122-ga122","7.4.3.123-ga123","7.4.3.124-ga124","7.4.3.125-ga125","7.4.3.126-ga126","7.4.3.127-ga127","7.4.3.128-ga128","7.4.3.129-ga129","7.4.3.13-ga13","7.4.3.130-ga130","7.4.3.131-ga131","7.4.3.132-ga132","7.4.3.14-ga14","7.4.3.15-ga15","7.4.3.16-ga16","7.4.3.17-ga17","7.4.3.18-ga18","7.4.3.19-ga19","7.4.3.20-ga20","7.4.3.21-ga21","7.4.3.22-ga22","7.4.3.23-ga23","7.4.3.24-ga24","7.4.3.25-ga25","7.4.3.26-ga26","7.4.3.27-ga27","7.4.3.28-ga28","7.4.3.29-ga29","7.4.3.30-ga30","7.4.3.31-ga31","7.4.3.32-ga32","7.4.3.33-ga33","7.4.3.34-ga34","7.4.3.35-ga35","7.4.3.36-ga36","7.4.3.37-ga37","7.4.3.38-ga38","7.4.3.39-ga39","7.4.3.4-ga4","7.4.3.40-ga40","7.4.3.41-ga41","7.4.3.42-ga42","7.4.3.43-ga43","7.4.3.44-ga44","7.4.3.45-ga45","7.4.3.46-ga46","7.4.3.47-ga47","7.4.3.48-ga48","7.4.3.49-ga49","7.4.3.5-ga5","7.4.3.50-ga50","7.4.3.51-ga51","7.4.3.52-ga52","7.4.3.53-ga53","7.4.3.54-ga54","7.4.3.55-ga55","7.4.3.56-ga56","7.4.3.57-ga57","7.4.3.58-ga58","7.4.3.59-ga59","7.4.3.6-ga6","7.4.3.60-ga60","7.4.3.61-ga61","7.4.3.62-ga62","7.4.3.63-ga63","7.4.3.64-ga64","7.4.3.65-ga65","7.4.3.66-ga66","7.4.3.67-ga67","7.4.3.68-ga68","7.4.3.69-ga69","7.4.3.7-ga7","7.4.3.70-ga70","7.4.3.71-ga71","7.4.3.72-ga72","7.4.3.73-ga73","7.4.3.74-ga74","7.4.3.75-ga75","7.4.3.76-ga76","7.4.3.77-ga77","7.4.3.78-ga78","7.4.3.79-ga79","7.4.3.8-ga8","7.4.3.80-ga80","7.4.3.81-ga81","7.4.3.82-ga82","7.4.3.83-ga83","7.4.3.84-ga84","7.4.3.85-ga85","7.4.3.86-ga86","7.4.3.87-ga87","7.4.3.88-ga88","7.4.3.89-ga89","7.4.3.9-ga9","7.4.3.90-ga90","7.4.3.91-ga91","7.4.3.92-ga92","7.4.3.93-ga93","7.4.3.94-ga94","7.4.3.95-ga95","7.4.3.96-ga96","7.4.3.97-ga97","7.4.3.98-ga98","7.4.3.99-ga99","commerce-2.0.7","commerce-2.1.0","commerce-2.1.1","commerce-2.1.2","sync-3.0.0-b1","sync-3.0.1-b2","sync-3.0.10-ga2","sync-3.0.2-b3","sync-3.0.3-b4","sync-3.0.4-b5","sync-3.0.5-b6","sync-3.0.6-b7","sync-3.0.7-b8","sync-3.0.8-b9","sync-3.0.9-ga1","sync-3.1.0-ga1","test-fix-pack-base-7310","test-sandbox-2-fix-pack-fix-89660450"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62265.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.5"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.7"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q3.8"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.3"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.4"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.5"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.7"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.8"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"2023.q4.10"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}