CVE-2025-43824: 
Java vulnerability analysis and mitigation

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111 and Liferay DXP versions (2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92) contains a vulnerability related to the Content-Disposition header handling. The vulnerability was discovered and disclosed on November 11, 2024, and was assigned identifier CVE-2025-43824 (Liferay Security).

The vulnerability stems from improper handling of user names in the Content-Disposition header when downloading vCard files through the Profile widget. The issue has been assigned a CVSS v4.0 score of 4.8 (Medium), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. This indicates that the vulnerability requires network access, low attack complexity, and authenticated user interaction (Liferay Security).

The vulnerability allows remote authenticated users to manipulate the file extension during vCard file downloads. While the direct impact appears to be limited to file extension modification, this could potentially lead to security implications depending on how the downloaded files are handled by client systems (Liferay Security).

The vulnerability has been fixed in Liferay Portal version 7.4.3.112 and Liferay DXP versions 2024.Q2.0, 2024.Q1.1, 2023.Q4.6, and 2023.Q3.9. Users are advised to upgrade to these or later versions to address the vulnerability (Liferay Security).

The vulnerability was responsibly reported by security researcher foobar7, demonstrating ongoing security community engagement with Liferay's products (Liferay Security).