Mida eFramework up to and including 2.9.0 allows unauthenticated ../ directory traversal.
midasolutions eframework