0Xaspros

**Name of the Vulnerable Software and Affected Versions** grokability snipe-it versions prior to 8.4.1 **Description** Insecure permissions allow a remote attacker to execute arbitrary code via the `app/Http/Controllers/Api/UploadedFilesController.php` component. Users with permissions to view assets or consumables can send a POST request to the "/api/v1/{object type}/{id}/files" endpoint. The API incorrectly authorizes these requests using view permissions instead of write permissions, allowing the persistence of files and audit log entries. **Recommendations** Update to version 8.4.1.