Security researcher Veno Eivazian found some vulnerabilities in Nodes-Traffic and Monitoring-History (only exploitable by authenticated users). I thank him for contacting me thus helping to improve NeDi! He mentioned System-Files as well, but as this module can perform actual software updates and is only accessible by admins, any "mitigation" would defeat its purpose.
Please update NeDi 1.9 with this patch
https://www.nedi.ch/pub/nedi-1.9C1.ptcI?ve also provided Patch4 for NeDi 2.0 in the customer area.
The good news is that NeDi 2.1 is on a good track for release by the end of March. It'll contain many usability and visual improvements as the new dashboard picture shows..