Is this setting a secutity hole?

Hi!

I’m asked to adminster a drupal7 site. The is ‘private file access’ is set, and the default upload directory is ‘../’, where the webserver’s root is the directory named ‘web’. I think it’s because the IMCE allows the see in the file browser window both private and public direcorties only in this way.

Is it a secutity hole, or not — shall I change it?

Thank you!

Drupal version: 


Source: https://www.drupal.org/taxonomy/term/22/feed