Odinserj

**Name of the Vulnerable Software and Affected Versions** Hangfire versions 1.7.25 **Description** Hangfire is an open source system to perform background job processing in .NET or .NET Core applications. The Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. However, due to recent changes, in version 1.7.25, no authorization filters are used by default, allowing remote requests to succeed. If the `UseHangfireDashboard` method is used with the default `DashboardOptions.Authorization` property value, the installation is impacted. The issue can be mitigated by upgrading to the newest version or by using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI. **Recommendations** For Hangfire version 1.7.25, upgrade to version 1.7.26 to mitigate the issue. As a temporary workaround for version 1.7.25, consider using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI, for example: ```csharp app.UseHangfireDashboard("/hangfire", new DashboardOptions { Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); } }); ```