CVE-2025-3760: XSS
First published: Thu Apr 17 2025(Updated: )
A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.
Credit: security@liferay.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Liferay 7.4 GA | >=7.2.0<7.4.3.129 | |
| Liferay 7.4 GA | >=2024.Q4.1<=2024.Q4.7>=2024.Q3.1<=2024.Q3.9>=2024.Q2.0<=2024.Q2.13>=2024.Q1.1<=2024.Q1.12>=2023.Q4.0<=2023.Q4.10>=2023.Q3.1<=2023.Q3.10 | |
| Liferay 7.4 GA | >=7.4<7.4.92>=7.3<7.3.36>=7.2<7.2.20 | |
| maven/com.liferay.portal:release.dxp.bom | =7.4.13 | |
| maven/com.liferay.portal:release.dxp.bom | >=7.3.10.0<=7.3.10.3 | |
| maven/com.liferay.portal:release.dxp.bom | >=7.2.10<=7.2.10.8 | |
| maven/com.liferay.portal:release.dxp.bom | >=2024.Q4.1<=2024.Q4.7 | 2025.Q1.0 |
| maven/com.liferay.portal:release.dxp.bom | >=2024.Q3.1<=2024.Q3.9 | 2024.Q3.10 |
| maven/com.liferay.portal:release.dxp.bom | >=2024.Q2.0<=2024.Q2.13 | |
| maven/com.liferay.portal:release.dxp.bom | >=2024.Q1.1<=2024.Q1.12 | 2024.Q1.13 |
| maven/com.liferay.portal:release.dxp.bom | >=2023.Q4.0<=2023.Q4.10 | |
| maven/com.liferay.portal:release.dxp.bom | >=2023.Q3.1<=2023.Q3.10 | |
| maven/com.liferay.portal:release.dxp.bom | >=7.4.13.u1<=7.4.13.u92 | |
| maven/com.liferay.portal:release.dxp.bom | >=7.3.10.ep1<=7.3.10.u36 | |
| maven/com.liferay.portal:release.dxp.bom | >=7.2.10.fp1<=7.2.10.fp20 | |
| maven/com.liferay.portal:release.portal.bom | >=7.2.0<7.4.3.132 | 7.4.3.132 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-3760?
CVE-2025-3760 is classified as a high severity vulnerability due to the potential for stored cross-site scripting attacks.
How do I fix CVE-2025-3760?
To fix CVE-2025-3760, update Liferay Portal to version 7.4.4 and DXP to the latest security release beyond the affected versions.
What versions are affected by CVE-2025-3760?
CVE-2025-3760 affects Liferay Portal 7.2.0 through 7.4.3.129 and multiple versions of Liferay DXP within specific ranges.
What type of vulnerability is CVE-2025-3760?
CVE-2025-3760 is a stored cross-site scripting (XSS) vulnerability that can allow attackers to inject malicious scripts.
What impact can CVE-2025-3760 have on my website?
CVE-2025-3760 can lead to unauthorized data access, phishing attacks, or compromised user sessions on affected websites.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/severity
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qhp6-vp7c-g7xp
- alias/CVE-2025-3760
- agent/references
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- vendor/liferay
- canonical/liferay 7.4 ga
- package-manager/maven