CVE-2025-3760 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of Liferay Portal, specifically versions 7.2.0 through 7.4.3.129 and various quarterly releases of Liferay DXP from 2023.Q3 through 2024.Q4. This vulnerability arises from improper neutralization of input during web page generation, categorized under CWE-79. The flaw specifically involves radio button type custom fields, where remote authenticated attackers can inject malicious JavaScript code that is stored and later executed in the context of users viewing the affected pages. The vulnerability requires the attacker to have authenticated access, but does not require elevated privileges beyond that. The CVSS v4.0 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and partial impact on confidentiality and integrity with limited scope. Exploitation could allow attackers to execute arbitrary scripts in victim browsers, potentially leading to session hijacking, unauthorized actions, or data theft within the portal environment. No known exploits are currently reported in the wild, and no official patches are linked yet, indicating that remediation may still be pending or in progress. The vulnerability affects a widely used enterprise portal platform that integrates web content management, collaboration, and business applications, making it a relevant concern for organizations relying on Liferay for internal or external web services.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a moderate risk. Successful exploitation could compromise user sessions, leading to unauthorized access to sensitive information or manipulation of portal content. Since the attack requires authenticated access, the threat is more significant in environments with many users or where user credentials are less tightly controlled. The stored XSS could be leveraged to target high-value users such as administrators or employees with elevated permissions, potentially escalating the impact. Given the portal's role in business processes, collaboration, and content delivery, exploitation could disrupt operations, damage trust, and lead to data leakage. Additionally, regulatory frameworks like GDPR impose strict requirements on data protection; any breach resulting from this vulnerability could lead to compliance violations and financial penalties. The absence of known exploits reduces immediate risk, but the medium severity and widespread use of Liferay in Europe warrant proactive mitigation.

Organizations should immediately audit their Liferay Portal and DXP deployments to identify affected versions. Since no official patches are linked yet, interim mitigations include: 1) Restricting the ability to create or modify radio button type custom fields to highly trusted users only, minimizing the attack surface. 2) Implementing strict input validation and output encoding on custom fields at the application or web server level, if feasible, to neutralize malicious scripts. 3) Enhancing monitoring and logging for suspicious activities related to custom field modifications and user interactions. 4) Educating users about the risks of clicking on unexpected links or executing scripts within the portal. 5) Planning for timely application of vendor patches once released. 6) Reviewing and tightening authentication mechanisms to reduce the risk of compromised credentials. 7) Employing Content Security Policy (CSP) headers to limit the impact of injected scripts. These targeted steps go beyond generic advice by focusing on the specific vector (radio button custom fields) and the authenticated nature of the attack.