TalkBack 2.3.6 allows remote malicious users to obtain configuration information via a direct request to install/info.php, which calls the phpinfo function.
talkback talkback 2.3.6