CVE-2025-3760

MEDIUM

Liferay Portal 7.2.0-7.4.3.129 & DXP 2024.Q4.1-2024.Q4.7 - Authenticated Stored XSS in Radio Button Fields

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760

Scores

CVSS v3 5.4

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

com.liferay.portal/release.dxp.bom 7.2.10.fp1Maven

com.liferay.portal/release.portal.bom 7.2.0 - 7.4.3.132Maven

liferay/digital_experience_platform 7.2 - 7.4

liferay/liferay_portal 7.2.0 - 7.4.3.129

Published Apr 17, 2025

Tracked Since Feb 18, 2026