snipe-it prior to version 5.3.4 is vulnerable to Improper Access Control. Regular users with DENY set to all models permissions can still view model information via the /models/{id}/clone endpoint due to no authorize('view') permission being set.
DENY