An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows malicious users to execute a directory traversal.
sonic project sonic 1.0.4