Floppy

**Name of the Vulnerable Software and Affected Versions** Manyfold versions prior to 0.133.1 **Description** Manyfold is a self-hosted web application for managing 3d models. A flaw exists in the `get model` method within the `ModelFilesController` (lines 158-160) where models are loaded using `Model.find param(params[:model id])` without proper authorization checks via `policy scope()`. This bypasses Pundit authorization, potentially allowing unauthorized access to models. Other controllers correctly implement authorization using `policy scope(Model).find param()`. The `model id` parameter is involved in this issue. **Recommendations** Update to version 0.133.1 or later.