A moderately critical flaw was found in Koha. It allows attacker to compromise user’s system. The vulnerability is due to improper verificaton of input data passed to „KohaOpactlanguage“ cookie in cgi-bin/koha/mainpage.pl. An attacker may use directory traversal attack and include arbitrary files from local resources.
The flaw was confirmed in version 4.02.06. Other versions can be vulnerable also.
The flaw was fixed in GIT repository.

Source: Secunia
28.11.2011