Softaculous contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the index.live.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'download' parameter. This directory traversal attack would allow a remote attacker to gain access to arbitrary files.
Remote / Network Access
Loss of Confidentiality
It has been reported that this issue has been fixed. Upgrade to version 4.2.3, or higher, to address this vulnerability.