When you're going to edit any template file with ACP/Styles/Templates -> edit feature, you can access any files on webserver by replacing the value for name=template_file in form input tag with any path going upwards, like

..../..../..../index.php

and so on.
As a result you can read any files (imagine config.php) as well as write any custom code (including shells/etc) into writable directories like /cache.
The problematic code is in includes/acp/acp_styles.php, function edit_template():

// make sure template_file path doesn't go upwards

$template_file = str_replace('..', '.', $template_file);

which doesn't really make its job since ..../ is being replaced with ../ and hence allows you to go directory upwards anyway.

Never let your co-admins (who doesn't have founder permissions / ftp access) to use ACP template edit feature until this bug is unfixed