CVE-2025-62265: Liferay Portal is vulnerable to XSS in the Blogs widget

The vulnerability is a cross-site scripting (XSS) issue in the Blogs widget of Liferay Portal, caused by the lack of a sandbox attribute on <iframe> elements in blog entries. This allows malicious scripts within an <iframe> to interact with the parent page, leading to potential security risks.

The analysis of the provided commit 8cbe1eec144d48d20d2752ed99a0cad78656f74b reveals the introduction of a new module, portal-security-iframe-sanitizer. This module contains the class IFrameSanitizerImpl, which implements the Sanitizer interface. The key method in this class is sanitize, which is responsible for processing and cleaning user-provided content.

The initial version of the sanitize method, as seen in the patch, simply returns the content without any modification. This indicates that, prior to the fix, there was no sanitization logic to add the sandbox attribute to <iframe> tags. An attacker could exploit this by injecting a crafted <iframe> into a blog post, which would then be rendered without the necessary security restrictions.

The vulnerable function is therefore com.liferay.portal.security.iframe.sanitizer.internal.IFrameSanitizerImpl.sanitize. During runtime, when a blog entry is rendered, this function would be called to process the content. In its vulnerable state, it would fail to add the sandbox attribute, allowing the XSS payload to execute.