Name of the Vulnerable Software and Affected Versions Zend View versions up to and including 1.7.4

Description The issue concerns a Local File Inclusion problem. If untrusted input is used to specify the script path and/or view script, a malicious attacker could potentially specify a system directory and thus render a system file. For example, if a user-supplied string like /etc/passwd or a relative path that resolves to that file is supplied to Zend View::render(), that file would be rendered. The Zend View::setScriptPath() function is implicated in this issue.

Recommendations For versions up to and including 1.7.4, ensure that only trusted input is used to specify script paths and view scripts to prevent exploitation. As a temporary workaround, consider validating and sanitizing all user-supplied input before passing it to Zend View::render() or Zend View::setScriptPath() to minimize the risk of exploitation.