Liferay: Stored XSS in Radio Button Custom Fields Allows JavaScript Injection by Authenticated Users

In Liferay Portal versions 7.2.0 through 7.4.3.129 and Liferay DXP versions 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36 and 7.2 GA through fix pack 20 a medium severity vulnerability CVE-2025-3760 was detected. This vulnerability allows remote authenticated attackers to inject malicious JavaScript into a page using radio button type custom fields. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132 and Liferay DXP to versions 2024.Q1.13, 2024.Q3.10 or 2025.Q1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3760.