{"id":71073,"date":"2025-10-07T01:45:37","date_gmt":"2025-10-06T22:15:37","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-43824-liferay-portal-cross-site-scripting-xss-and-file-extension-manipulation\/"},"modified":"2025-10-07T01:45:37","modified_gmt":"2025-10-06T22:15:37","slug":"cve-2025-43824-liferay-portal-cross-site-scripting-xss-and-file-extension-manipulation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-43824-liferay-portal-cross-site-scripting-xss-and-file-extension-manipulation\/","title":{"rendered":"CVE-2025-43824 &#8211; Liferay Portal Cross-Site Scripting (XSS) and File Extension Manipulation"},"content":{"rendered":"<p>CVE ID : CVE-2025-43824<\/p>\n<p>Published :  Oct. 6, 2025, 10:15 p.m. | 18\u00a0minutes ago<\/p>\n<p>Description : The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user\u2019s name in the \u201cContent-Disposition\u201d header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.<\/p>\n<p>Severity: 4.8 | MEDIUM<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-43824 Published : Oct. 6, 2025, 10:15 p.m. | 18\u00a0minutes ago Description : The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user\u2019s name in the \u201cContent-Disposition\u201d header, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-71073","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71073","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=71073"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/71073\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=71073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=71073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=71073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}