Asset Management

Pimcore's WebDAV asset endpoint exposes a `MOVE` operation without authentication, allowing unauthenticated remote attackers to delete assets if they know two existing asset paths in the same directory; Authenticated low-privileged users may also be able to perform unauthorized asset move or overwrite operations because the move path does not enforce `rename`, `delete`, `create`, or `publish` permissions, leading to data loss, content integrity loss, and service disruption.

Snipe-IT versions prior to 8.4.1 are vulnerable to remote code execution due to insecure permissions on file uploads, where an attacker can upload arbitrary files and execute code on the server.