[Security Issue] Registered routes publicly available
GigaFyde opened this issue · comments
Laurant Marijnissen commented
As of right now, all routes registed by the plugin don't seem to be secured in any way.
This means anyone could access and read the data.
Example route: http://localhost:8096/emby/user_usage_stats/user_activity
It's not limited to localhost only.
Would like to see this limited to authorized admin users only.
Odd Stråbø commented
This should be fixed now
Laurant Marijnissen commented
Happy to report that it's indeed no longer publicly accessible from the looks of it.
Greatly appreciated.