mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
Most endpoints in DashboardController are unauthenticated #6955
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @felix920506 on GitHub (Apr 23, 2025).
split from #5415
Partially authenticated since 10.8b1
As of 10.7, this controller apparently contains admin dashboard (plugin) configuration pages. While the pages alone are not highly sensitive by itself (the controller only returns the list & html pages without config data), the endpoints being completly unauthenticated allows anyone to retrieve information about the server, e.g this leaks the installed plugins.
Potential fix: Require admin privileges (at least user privileges) to access these pages