N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62237

GHSA ID

GHSA-m4g9-5mg6-gfr3

EPSS Score

CWE

CWE-79

Published

10/10/2025

Updated

10/11/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62237

CVE-2025-62237: Liferay Portal Commerce is vulnerable to XSS through account "name" field

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62237

CVE-2025-62237:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62237

GHSA ID

GHSA-m4g9-5mg6-gfr3

EPSS Score

CWE

CWE-79

Published

10/10/2025

Updated

10/11/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.commerce:com.liferay.commerce.order.web	maven	>= 5.0.29, < 5.0.101	5.0.101

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic stored Cross-Site Scripting (XSS) issue within the Liferay Portal Commerce module. The root cause is the failure to properly sanitize user-provided input before rendering it on a web page. The provided commit e6d49eda196676aa3fecb26f6a8ba100602d0c36 serves as the primary evidence for this analysis.

The patch modifies the general.jsp file, which is used to display order information. Specifically, it changes how the account name is displayed. Before the patch, the account name was rendered directly into the HTML using <%= accountEntry.getName() %>. This means that if an account name contained HTML or JavaScript, it would be interpreted by the browser.

The fix wraps the output of accountEntry.getName() with HtmlUtil.escape(), a function that neutralizes potentially malicious characters (like <, >, ") by converting them into their corresponding HTML entities. This prevents the browser from interpreting them as code.

During exploitation, a profiler would trace the execution flow to the rendering of the general.jsp page. JSP files are compiled into Java Servlets, and the main logic resides within the _jspService method. Therefore, org.apache.jsp.commerce_order.general_jsp._jspService is the precise function that would appear in a runtime profile and is the location of the vulnerable code. The call to accountEntry.getName() would also be observed as the source of the tainted data that triggers the vulnerability.

Vulnerable functions

org.apache.jsp.commerce_order.general_jsp._jspService

modules/apps/commerce/commerce-order-web/src/main/resources/META-INF/resources/commerce_order/general.jsp

This JSP file is responsible for rendering the order details page. The vulnerability lies in the fact that it directly includes the account name in the HTML output without proper sanitization. An attacker can set a malicious script as their account name, and this script will be executed in the browser of anyone viewing an order associated with that account. The `_jspService` method is the main method in the compiled JSP servlet that handles the request and generates the response, and therefore contains the vulnerable code.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62237: Liferay Portal Commerce is vulnerable to XSS through account "name" field

CVE-2025-62237:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-62237: Liferay Portal Commerce is vulnerable to XSS through account "name" field

Technical Details

Basic Information

Basic Information

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI