Most endpoints in DashboardController are unauthenticated #6955

Open
opened 2026-02-07 04:19:50 +03:00 by OVERLORD · 0 comments
Owner

Originally created by @felix920506 on GitHub (Apr 23, 2025).

split from #5415

Partially authenticated since 10.8b1

As of 10.7, this controller apparently contains admin dashboard (plugin) configuration pages. While the pages alone are not highly sensitive by itself (the controller only returns the list & html pages without config data), the endpoints being completly unauthenticated allows anyone to retrieve information about the server, e.g this leaks the installed plugins.
Potential fix: Require admin privileges (at least user privileges) to access these pages

Originally created by @felix920506 on GitHub (Apr 23, 2025). split from #5415 Partially authenticated since 10.8b1 As of 10.7, this controller apparently contains admin dashboard (plugin) configuration pages. While the pages alone are not highly sensitive by itself (the controller only returns the list & html pages without config data), the endpoints being completly unauthenticated allows anyone to retrieve information about the server, e.g this leaks the installed plugins. Potential fix: Require admin privileges (at least user privileges) to access these pages
OVERLORD added the bugsecurity labels 2026-02-07 04:19:50 +03:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#6955