CVE-2025-43824

EPSS 0.03%

Liferay Profile Widget does not prevent vCard extension spoofing

Published: 10/7/2025Modified: 12/17/2025

Description

The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.

Affected packages (1)

Maven/com.liferay.portal:release.portal.bom>= 7.4.0-ga1, < 7.4.3.112-ga112

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-43824
PATCHhttps://github.com/liferay/liferay-portal
WEBhttps://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43824