Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive.
https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html