CoreFTP Server prior to 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.
coreftp core ftp
coreftp core ftp 2.0