None. Dashy’s authentication was famously literally security theatre even with Keycloak. You could just pause the load in browser and have full access to the config. Because it let you iframe whatever you could now do so with local services to enum. Somehow Jellyfin is unbustable though. So it’s a bit of a crapshoot. Look at past vulnerabilities. Stuff like XSS unless stored you don’t need to worry about, clickjacking, tab nabbing etc. On the other hand anything that’s arbitrary file read, SQLI, RCE, LFI, RFI, SSRF etc. I would look at seriously. E.g. don’t make your 13ft public because it can be used to literally enumerate your entire private network.
=> More informations about this toot | View the thread | More toots from LainTrain@lemmy.dbzer0.com
=> View Dust0741@lemmy.world profile
text/geminiThis content has been proxied by September (3851b).