关键漏洞信息 CVE-2025-62240 XSS with user name in calendar event Description Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay DXP allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name or (3) Last Name text field. Severity 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/Vi:L/VA:N/SC:N/SI:N/SA:N) Affected Versions Liferay Portal 7.4.3.35 through 7.4.3.111 Liferay DXP 2023.Q4.0 through 2023.Q4.5 Liferay DXP 2023.Q3.1 through 2023.Q3.7 Liferay DXP 7.4 Update 35 through Update 92 Liferay DXP 7.3 Update 25 through Update 36 Fixed Versions Liferay Portal 7.4.3.112 Liferay DXP 2024.Q1.1 Liferay DXP 2023.Q4.6 Liferay DXP 2023.Q3.8 Acknowledgments This issue was reported by foobar7 Publication Date Fri, 13 Sep 2024 13:49:00 +0000