Stored Cross-Site Scripting Vulnerability in Liferay Portal and DXP
CVE-2025-3760

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 17 April 2025

Summary

A stored cross-site scripting (XSS) vulnerability has been identified in several versions of Liferay Portal and Liferay DXP. This flaw allows authenticated attackers to inject malicious JavaScript into web pages via custom radio button fields. Successful exploitation of this vulnerability can enable attackers to execute arbitrary scripts in the context of users, potentially leading to data theft, session hijacking, or other malicious activities.

Affected Version(s)

DXP 7.2.10

DXP 7.3.10 <= 7.3.10-u36

DXP 7.4.13 <= 7.4.13-u92

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Apr 17, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

Lucas Machado from Devoteam Cyber Trust

milCERT AT