CVE-2025-3760

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2.0 through 7.4.3.129 Liferay DXP versions 2024.Q4.1 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.9 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.12 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay Portal versions 7.4 GA through update 92 Liferay Portal versions 7.3 GA through update 36 Liferay Portal versions 7.2 GA through fix pack 20

Description A stored cross-site scripting (XSS) issue exists with radio button type custom fields, allowing remote authenticated attackers to inject malicious JavaScript into a page.

Recommendations For Liferay Portal versions 7.2.0 through 7.4.3.129, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q4.1 through 2024.Q4.7, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q3.1 through 2024.Q3.9, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q2.0 through 2024.Q2.13, update to a version that includes the fix for this issue. For Liferay DXP versions 2024.Q1.1 through 2024.Q1.12, update to a version that includes the fix for this issue. For Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, update to a version that includes the fix for this issue. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.10, update to a version that includes the fix for this issue. For Liferay Portal versions 7.4 GA through update 92, apply update 93 or later. For Liferay Portal versions 7.3 GA through update 36, apply update 37 or later. For Liferay Portal versions 7.2 GA through fix pack 20, apply fix pack 21 or later.