Directory traversal vulnerability in the SFTP/SSH2 virtual server in Xlight FTP Server 3.5.0, 3.5.5, and possibly other versions before 3.6 allows remote authenticated users to read, overwrite, or delete arbitrary files via … (dot dot) sequences in the (1) ls, (2) rm, (3) rename, and other unspecified commands.