handler/upload_handler.jsp in DEXT5 Editor up to and including 3.5.1402961 allows an malicious user to download arbitrary files via the savefilepath field.
dext5 dext5