Directory traversal vulnerability in main/main.php in QuestCMS allows remote malicious users to read arbitrary local files via a .. (dot dot) in the theme parameter.
questwork questcms