• 0 Posts
  • 13 Comments
Joined 10 months ago
cake
Cake day: January 24th, 2024

help-circle

  • None. Dashy’s authentication was famously literally security theatre even with Keycloak. You could just pause the load in browser and have full access to the config. Because it let you iframe whatever you could now do so with local services to enum. Somehow Jellyfin is unbustable though. So it’s a bit of a crapshoot. Look at past vulnerabilities. Stuff like XSS unless stored you don’t need to worry about, clickjacking, tab nabbing etc. On the other hand anything that’s arbitrary file read, SQLI, RCE, LFI, RFI, SSRF etc. I would look at seriously. E.g. don’t make your 13ft public because it can be used to literally enumerate your entire private network.