Description
The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Remediation
References
Related Vulnerabilities
Oracle HTTP Server Other Vulnerability (CVE-2006-5350)
Magento Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-7903)
MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3759)
WordPress Plugin Shantz WordPress QOTD Cross-Site Request Forgery (1.2.2)