CakePHP 2.x prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6 and 3.x prior to 3.0.15 and 3.1.4 is vulnerable to Remote File Inclusion through View template name manipulation.
References
- https://github.com/cakephp/cakephp/commit/5e60cc5d182e6131e3fbdfdf69f49d560c9ff78b
- https://bakery.cakephp.org/2015/11/05/cakephp_3015_314_2612_276_released.html
- https://github.com/FriendsOfPHP/security-advisories/blob/master/cakephp/cakephp/2015-11-05.yaml
- https://github.com/advisories/GHSA-p76f-wr22-4rv6