Product
Pimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.