Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files.
https://www.htbridge.com/advisory/HTB23121
https://exchange.xforce.ibmcloud.com/vulnerabilities/79881
http://secunia.com/advisories/51185
http://packetstormsecurity.org/files/117951/CMS-Made-Simple-1.11.2-Cross-Site-Request-Forgery.html
http://forum.cmsmadesimple.org/viewtopic.php?f=1&t=63545
http://archives.neohapsis.com/archives/bugtraq/2012-11/0035.html