NUUO CMS version 3.3 and prior allows external input to construct a pathname that is able to be resolved outside the intended directory. This could allow an attacker to impersonate a legitimate user, obtain restricted information, or execute arbitrary code.
