GHSA-p76f-wr22-4rv6: 
PHP vulnerability analysis and mitigation

CakePHP versions 2.x (prior to 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, and 2.7.6) and 3.x (prior to 3.0.15 and 3.1.4) were found to be vulnerable to Remote File Inclusion through View template name manipulation. The vulnerability was discovered and disclosed on November 5, 2015, with credit given to Kurita Takashi for identifying and verifying the security issues (CakePHP Blog).

The vulnerability allowed attackers to manipulate view template filenames, potentially leading to remote file inclusion. The issue was specifically related to plugin view names being able to escape the plugin root directory. The fix involved removing the ability to specify completely arbitrary view files, requiring absolute paths to be located within a configured view path (GitHub Commit).

The vulnerability could allow attackers to include and execute arbitrary files through view template name manipulation, potentially leading to unauthorized access to files outside the intended directory structure (GitHub Advisory).

Users were strongly advised to upgrade to the patched versions: 2.0.99, 2.1.99, 2.2.99, 2.3.99, 2.4.99, 2.5.99, 2.6.12, 2.7.6, 3.0.15, or 3.1.4. The CakePHP team emphasized the importance of immediate upgrade to address this security issue (CakePHP Blog).