Summary
The remote server is running at least one instance of Chora version 1.2.1 or earlier. Such versions have a flaw in the diff viewer that enables a remote attacker to run arbitrary code with the permissions of the web user.
Solution
Upgrade to Chora version 1.2.2 or later.