CVE-2025-4604 is a medium-severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects multiple versions of Liferay Portal, specifically versions 7.4.3.80 through 7.4.3.132, and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.15, including 7.4 updates 80 through 92. The core issue lies in the ability of an attacker to bypass the Captcha verification mechanism within the portal. By exploiting this bypass, attackers can inject and execute malicious scripts in the Gogo shell, an OSGi console used for managing and configuring the Liferay Portal environment. The vulnerability requires low privileges (PR:L) and partial user interaction (UI:A), with a high complexity (AC:H) for exploitation, and partial attack vector control (VC:H). The attack vector is network-based (AV:N), meaning it can be exploited remotely. The vulnerability impacts confidentiality and integrity to a low extent, with no impact on availability. The scope is high (SC:H), indicating that the vulnerability affects components beyond the initially vulnerable component. The CVSS 4.0 score is 6.9, reflecting a medium severity level. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability's exploitation could allow attackers to execute arbitrary scripts in the Gogo shell, potentially leading to unauthorized configuration changes, data leakage, or further compromise of the portal environment.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a significant risk, especially for those relying on these platforms for public-facing websites, intranets, or business-critical applications. Successful exploitation could allow attackers to bypass Captcha protections, facilitating automated attacks or brute force attempts. Execution of scripts in the Gogo shell could lead to unauthorized administrative actions, data manipulation, or lateral movement within the affected infrastructure. This could compromise sensitive personal data, intellectual property, or disrupt business operations. Given the widespread use of Liferay in sectors such as government, finance, healthcare, and telecommunications across Europe, the impact could extend to critical services and regulatory compliance obligations under GDPR. The medium severity rating suggests that while the vulnerability is not trivially exploitable, the potential consequences warrant prompt attention to prevent escalation or chained attacks.

European organizations should implement a multi-layered mitigation strategy. First, they should monitor Liferay's official channels for patches or updates addressing CVE-2025-4604 and apply them promptly once available. In the interim, organizations can harden their Liferay Portal configurations by disabling or restricting access to the Gogo shell console, limiting it to trusted administrators only, and enforcing strong authentication and network segmentation. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting Captcha bypass attempts and script injections can reduce exposure. Additionally, reviewing and tightening input validation and output encoding mechanisms within custom Liferay modules or themes can help mitigate XSS risks. Regular security audits and penetration testing focusing on the Captcha implementation and Gogo shell access controls are recommended to identify and remediate weaknesses. Finally, educating administrators and developers about secure coding practices and the risks associated with improper input neutralization will support long-term resilience.