Allied Telesyn TFTP Server (AT-TFTP) contains a flaw that allows a remote attacker to download and upload arbitrary files from and to directories outside of the web path. The issue is due to the program not properly sanitizing user input, specifically traversal style attacks (../../), and may result in a loss of confidentiality and/or integrity. Note that uploads are possible only if Read/Write mode is selected.
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.