class yii\web\ViewAction allowed to include arbitrary files that end with .php

PKSA-vxs3-y9yw-z24k CVE-2015-5467

Affected package: yiisoft/yii2-dev

Affected version: <2.0.5

Reported by:
FriendsOfPHP/security-advisories