ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers c