Liferay DXP Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-43824

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111 and older unsupported versions and Liferay DXP 2023.Q4.0 through 2023.Q4.5 2023.Q3.1 through 2023.Q3.8 7.4 GA through update 92 and older unsupported versions uses a users name in the Content-Disposition header which allows remote authenticated users to change the file extension when a vCard file is downloaded.