CakePHP is vulnerable to a file inclusion attack because of its use of the &quot;unserialize()&quot; function on unchecked user input. This makes it possible to inject arbitary objects into the scope.<br><br>Source: <a href="http://securityreason.com/securityalert/8026">http://securityreason.com/securityalert/8026</a><br>
<br>PoC: <a href="http://malloc.im/burnedcake.py">http://malloc.im/burnedcake.py</a><br>