CVE-2025-43824 – Liferay Portal Cross-Site Scripting (XSS) and File Extension Manipulation

CVE ID : CVE-2025-43824

Published : Oct. 6, 2025, 10:15 p.m. | 18 minutes ago

Description : The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.

Severity: 4.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…