CVE-2025-3760 - Stored Cross-Site Scripting in Liferay Portal and Liferay DXP

1. Vulnerability Properties

Title: Stored Cross-Site Scripting in Liferay Portal and Liferay DXP
CVE ID: CVE-2025-3760
CVSSv4 Base Score: 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Vendor: Liferay, Inc
Products: Liferay Portal and Liferay DXP
Advisory Release Date: 17-04-2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-3760
Credits: Discovery by Lucas Machado <lucas.machado[at]devoteam.com>

2. Vulnerability Summary

A stored cross-site scripting (XSS) vulnerability in the radio button-type custom fields of Liferay Portal and Liferay DXP allows remote authenticated attackers to inject malicious JavaScript into pages.

3. Vulnerable Versions

• Liferay Portal 7.4.0 through 7.4.3.129
• Liferay Portal 7.3.0 through 7.3.7
• Liferay Portal 7.2.0 and 7.2.1
• Liferay Portal, older unsupported versions;
• Liferay DXP 2024.Q4
• Liferay DXP 2024.Q3.1 through DXP 2024.Q3.9
• Liferay DXP 2024.Q2
• Liferay DXP 2024.Q1.1 through DXP 2024.Q1.12
• Liferay DXP 2023.Q4
• Liferay DXP 2023.Q3
• Liferay DXP 7.4
• Liferay DXP 7.3
• Liferay DXP 7.2
• Liferay DXP, older unsupported versions;

4. Solution

• Upgrade to Liferay Portal 7.4.3.132 or to one of the following Liferay DXP versions: 2024.Q1.13, 2024.Q3.10, or 2025.Q1.0, which address this vulnerability.

5. Vulnerability Timeline

• 11/Apr/2024 - Bug reported to vendor
• 04/Oct/2024 - Bug validated by vendor
• 17/Apr/2025 - Advisory released

6. References

• https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-3760
• https://www.cve.org/CVERecord?id=CVE-2025-3760