When you're going to edit any template file with ACP/Styles/Templates -> edit feature, you can access any files on webserver by replacing the value for name=template_file in form input tag with any path going upwards, like
and so on.
As a result you can read any files (imagine config.php) as well as write any custom code (including shells/etc) into writable directories like /cache.
The problematic code is in includes/acp/acp_styles.php, function edit_template():
which doesn't really make its job since ..../ is being replaced with ../ and hence allows you to go directory upwards anyway.
Never let your co-admins (who doesn't have founder permissions / ftp access) to use ACP template edit feature until this bug is unfixed