CVE-2025-43824: Liferay Profile Widget does not prevent vCard extension spoofing
N/A
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.liferay.portal:release.portal.bom | maven | >= 7.4.0-ga1, < 7.4.3.112-ga112 | 7.4.3.112-ga112 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability allows authenticated users to spoof the file extension of a downloaded vCard file. This is due to the user's name being directly used in the Content-Disposition header without proper sanitization. An attacker could set their full name to a value like ../../sensitive.txt to potentially traverse directories and overwrite files, or to filename.bat to trick the user into executing a malicious file. The analysis of the provided patch 7b4403becd9433ccefb44005d28d85b943bb1ecc clearly points to the exportVCard method in the com.liferay.contacts.web.internal.portlet.ContactsCenterPortlet class as the vulnerable function. The patch applies URL encoding to the user's full name, which is a standard mitigation for this type of injection vulnerability. This prevents the browser from interpreting special characters in the filename and ensures the file is downloaded with the intended .vcf extension.
Vulnerable functions
com.liferay.contacts.web.internal.portlet.ContactsCenterPortlet.exportVCardmodules/apps/contacts/contacts-web/src/main/java/com/liferay/contacts/web/internal/portlet/ContactsCenterPortlet.java