The host is installed with rConfig through 3.9.4 and is prone to an OS command injection vulnerability. A flaw is present in the application, which fails to an issue in lib/ajaxHandlers/ajaxAddTemplate.php file. Successful exploitation allows remote attackers to execute arbitrary OS commands via shell metacharacters in the fileName POST parameter.