N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62240

GHSA ID

GHSA-5264-m964-7pg9

EPSS Score

0.36253%

CWE

CWE-79

Published

10/9/2025

Updated

10/10/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62240

CVE-2025-62240: Liferay Portal is vulnerable to XSS through its Calendar Events parameters

Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 update 35 through update 92, and 7.3 update 25 through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name or (3) Last Name text field.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62240

GHSA ID

GHSA-5264-m964-7pg9

EPSS Score

0.36253%

CWE

CWE-79

Published

10/9/2025

Updated

10/10/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.calendar.web	maven	>= 5.0.45, < 5.0.88	5.0.88

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the com.liferay.calendar.web.internal.util.CalendarUtil.toCalendarBookingJSONObject function, which is responsible for creating a JSON object representing a calendar booking. The provided patch 961b569fbd9207c728a93d962e989dbc062f6fb6 clearly shows that the name of the calendar resource, obtained via calendarResource.getName(themeDisplay.getLocale()), was being directly returned without any sanitization. The fix involves wrapping this call with HtmlUtil.escape(), which prevents malicious scripts from being injected into the output. The vulnerability could be exploited by a remote attacker by crafting a payload and injecting it into a user's name fields, which are then used as calendar resource names. When the calendar event is viewed, the malicious script would execute in the victim's browser.

Vulnerable functions

com.liferay.calendar.web.internal.util.CalendarUtil.toCalendarBookingJSONObject

modules/apps/calendar/calendar-web/src/main/java/com/liferay/calendar/web/internal/util/CalendarUtil.java

The function `toCalendarBookingJSONObject` was vulnerable to XSS because it did not escape the calendar resource name before including it in the JSON response. An attacker could create a calendar resource with a malicious name (e.g., using a user's name with embedded scripts), and this script would be executed in the browser of anyone viewing the calendar event.

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s wit* **l*n**r *v*nts in Li**r*y Port*l *.*.*.** t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *.* up**t* ** t*rou** up**t* **, *n* *.* up**t* ** t*rou*

Reasoning

T** vuln*r**ility li*s in t** `*om.li**r*y.**l*n**r.w**.int*rn*l.util.**l*n**rUtil.to**l*n**r*ookin*JSONO*j**t` *un*tion, w*i** is r*sponsi*l* *or *r**tin* * JSON o*j**t r*pr*s*ntin* * **l*n**r *ookin*. T** provi*** p*t** `***************************

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62240: Liferay Portal is vulnerable to XSS through its Calendar Events parameters

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI