Quake3Arena contains a flaw that allows a remote attacker to read or write files. The issue is due to the environment for Quake3Arena allowing client-side modification. Combining the automatic download feature of Quake3Arena, the remote attacker can access any files above the subdirectory of the install directory and allow code to be automatically downloaded to the user's system, resulting in a loss of confidentiality and integrity.
Upgrade to version 1.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.