CakePHP View::_getElementFileName() Path Traversal

View::_getElementFileName() no longer resolves element paths outside application/plugin view template directories. Previously, crafted element names with user-supplied data could include arbitrary PHP files.

Applications using CakePHP versions before 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11 that pass user-supplied data to element names.

Update to patched releases: 5.3.6, 5.2.13, 5.1.7, 4.6.4, or 4.5.11. Alternatively, ensure element names are never user-supplied.