Directory traversal vulnerability in the delete function in IMCE before 1.6, a Drupal module, allows remote authenticated users to delete arbitrary files via ".." sequences.
https://exchange.xforce.ibmcloud.com/vulnerabilities/29324
http://www.vupen.com/english/advisories/2006/3892
http://www.securityfocus.com/bid/20312