CVE-2025-3760 MEDIUM

CVE-2025-3760

Vendor Liferay
Product Portal
Weakness CWE-79 · XSS
Published April 17, 2025
Last update September 4, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

Key dates

02Disclosure timeline

April 17, 2025 CVE published
September 4, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-34409 MailEnable < 10.54 Reflected XSS in Failed Parameter of MAI/AddRecipientsResult.aspx CVE-2026-48903 Joomla! Framework - [20260519] - Inadequate content filtering within the checkAttribute filter code. CVE-2023-5618 Modern Footnotes <= 1.4.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-9115 Common Tools for Site <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2025-12117 Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title