Spysder

**Name of the Vulnerable Software and Affected Versions** PrivateUploader versions prior to 3.2.49 **Description** PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions, the `app/routes/v3/admin.controller.ts` file did not correctly verify whether the user was an administrator or moderator, causing the request to continue processing. The response would be a 403 with ADMIN ONLY, however, `next()` would call, leading to any updates/changes in the route to process. **Recommendations** For versions prior to 3.2.49, upgrade to version 3.2.49 to address the issue. As a temporary workaround, consider restricting access to the `admin.controller.ts` file until the upgrade is applied. There are no known workarounds for this issue other than upgrading to the fixed version.