CVE-2025-43824 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Liferay Portal versions 7.4.0 through 7.4.3.111 and multiple Liferay DXP versions including 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.8. The vulnerability stems from the Profile widget’s handling of user input in the Content-Disposition HTTP header when generating downloadable vCard files. Specifically, the user’s name is inserted into the header without proper sanitization, allowing remote authenticated users to manipulate the file extension of the downloaded vCard. This improper neutralization of input can be exploited to inject malicious scripts that execute in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or other malicious actions. The CVSS 4.0 score is 4.8 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, no privileges, but does require authentication and user interaction. The vulnerability does not impact confidentiality, integrity, or availability directly but poses a risk to user session security and data privacy. No public exploits are currently known, and no official patches are linked yet, but affected organizations should monitor vendor updates closely. The vulnerability affects multiple supported and unsupported versions, indicating a broad attack surface for organizations using Liferay Portal or DXP in their web infrastructure.

For European organizations, this vulnerability could enable attackers with valid credentials to execute malicious scripts in users’ browsers, potentially leading to session hijacking, unauthorized actions, or data leakage. Since Liferay Portal and DXP are widely used for enterprise intranets, customer portals, and content management, exploitation could compromise sensitive business information or disrupt user trust. The requirement for authentication and user interaction limits mass exploitation but does not eliminate risk, especially in environments with many users or weak access controls. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Liferay for web services could face reputational damage and regulatory scrutiny if exploited. The vulnerability’s impact on confidentiality and integrity is moderate, but the potential for lateral movement or privilege escalation through session hijacking increases the overall risk. Additionally, the lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before attackers develop weaponized code.

Organizations should immediately inventory their Liferay Portal and DXP deployments to identify affected versions. Until official patches are released, apply the following mitigations: (1) Restrict access to the Profile widget and vCard download functionality to trusted users only, minimizing exposure. (2) Implement strict input validation and output encoding on user-supplied data in HTTP headers at the web application firewall (WAF) or reverse proxy level to block malicious payloads. (3) Educate users about the risks of interacting with unexpected vCard downloads and encourage cautious behavior. (4) Monitor logs for unusual activity related to vCard downloads or Content-Disposition header manipulations. (5) Plan and test upgrades to the latest Liferay versions once patches are available. (6) Consider disabling or customizing the Profile widget if feasible to eliminate the vulnerable code path. (7) Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. These targeted actions go beyond generic advice and address the specific attack vector and environment.