paFAQ Upload a Language Pack Arbitrary Code Execution
Remote / Network Access
Loss of Integrity
paFAQ contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'Upload a Language Pack' feature not properly sanitizing user input, allowing php modules containing arbitrary commands to be uploaded. This may allow an attacker to include a file that contains arbitrary commands which will be executed by the uploaded script in the 'lang' directory.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.