N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43824

GHSA ID

GHSA-pfxj-gvqg-mj44

EPSS Score

0.37861%

CWE

CWE-79

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43824

CVE-2025-43824: Liferay Profile Widget does not prevent vCard extension spoofing

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43824

GHSA ID

GHSA-pfxj-gvqg-mj44

EPSS Score

0.37861%

CWE

CWE-79

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0-ga1, < 7.4.3.112-ga112	7.4.3.112-ga112

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows authenticated users to spoof the file extension of a downloaded vCard file. This is due to the user's name being directly used in the Content-Disposition header without proper sanitization. An attacker could set their full name to a value like ../../sensitive.txt to potentially traverse directories and overwrite files, or to filename.bat to trick the user into executing a malicious file. The analysis of the provided patch 7b4403becd9433ccefb44005d28d85b943bb1ecc clearly points to the exportVCard method in the com.liferay.contacts.web.internal.portlet.ContactsCenterPortlet class as the vulnerable function. The patch applies URL encoding to the user's full name, which is a standard mitigation for this type of injection vulnerability. This prevents the browser from interpreting special characters in the filename and ensures the file is downloaded with the intended .vcf extension.

Vulnerable functions

com.liferay.contacts.web.internal.portlet.ContactsCenterPortlet.exportVCard

modules/apps/contacts/contacts-web/src/main/java/com/liferay/contacts/web/internal/portlet/ContactsCenterPortlet.java

The vulnerability lies in the `exportVCard` function, where the user's full name is used directly to construct the filename in the `Content-Disposition` header. A malicious user with a crafted full name containing directory traversal characters (e.g., `../../..`) and a fake extension could cause the downloaded vCard file to have a different, potentially malicious, extension. The patch mitigates this by URL-encoding the user's full name before using it in the header, which neutralizes the malicious characters.

WAF Protection Rules

WAF Rule

T** Pro*il* wi***t in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *.* ** t*rou** up**t* **, *n* ol**r unsupport** v*rsions us*s * us*r’s n*m* in t**

Reasoning

T** vuln*r**ility *llows *ut**nti**t** us*rs to spoo* t** *il* *xt*nsion o* * *ownlo**** v**r* *il*. T*is is *u* to t** us*r's n*m* **in* *ir**tly us** in t** `*ont*nt-*isposition` *****r wit*out prop*r s*nitiz*tion. *n *tt**k*r *oul* s*t t**ir *ull

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43824: Liferay Profile Widget does not prevent vCard extension spoofing

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI