CVE-2025-4604 is a medium-severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects multiple versions of Liferay Portal, specifically versions 7.4.3.80 through 7.4.3.132, and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.15, including 7.4 update 80 through update 92. The core issue allows attackers to bypass the Captcha verification mechanism implemented in these Liferay Portal versions. By exploiting this bypass, attackers can inject and execute malicious scripts within the Gogo shell environment, a command-line interface used for managing OSGi-based applications like Liferay. The vulnerability requires low privileges (PR:L), partial user interaction (UI:A), and partial attack complexity (AC:H), indicating that exploitation is not trivial but feasible with some effort and user involvement. The CVSS 4.0 vector indicates network attack vector (AV:N), high scope change (SC:H), and high vulnerability confidentiality impact (VC:H), but low integrity and availability impacts. No known exploits are currently reported in the wild, but the potential for script execution in the Gogo shell could allow attackers to perform unauthorized actions, escalate privileges, or manipulate the portal environment. The lack of available patches at the time of reporting emphasizes the need for immediate attention and mitigation by affected organizations.

For European organizations using Liferay Portal, this vulnerability poses a significant risk to web application security and operational integrity. Successful exploitation could lead to unauthorized script execution within the management shell, potentially allowing attackers to bypass security controls, manipulate portal configurations, or execute arbitrary commands. This could result in data leakage, unauthorized access to sensitive information, or disruption of services hosted on the portal. Given Liferay's widespread use in government, financial, and enterprise sectors across Europe, the impact could extend to critical infrastructure and sensitive citizen or customer data. The Captcha bypass also increases the risk of automated attacks, such as credential stuffing or brute force attempts, further elevating the threat landscape. Organizations with strict compliance requirements (e.g., GDPR) may face regulatory consequences if this vulnerability leads to data breaches or service interruptions.

1. Immediate deployment of any official patches or updates from Liferay once available is critical. 2. In the interim, restrict access to the Gogo shell interface to trusted administrators only, ideally via network segmentation and firewall rules limiting access to management ports. 3. Implement Web Application Firewalls (WAF) with custom rules to detect and block suspicious input patterns targeting the Captcha mechanism and Gogo shell commands. 4. Enhance monitoring and logging around authentication attempts and Gogo shell usage to detect anomalous activities promptly. 5. Conduct regular security assessments and penetration tests focusing on input validation and Captcha enforcement mechanisms. 6. Educate administrators and developers about the risks of XSS and the importance of input sanitization, especially in custom extensions or integrations with Liferay Portal. 7. Consider temporary disabling or restricting Captcha bypass-prone functionalities if feasible until patches are applied.