FUXA Server Missing Authorization in Socket.IO Handlers Leading to SSRF

Two Socket.IO event handlers (DEVICE_PROPERTY and DEVICE_WEBAPI_REQUEST) in server/runtime/index.js lack authorization checks, allowing unauthenticated SSRF to internal HTTP, OPC UA, and ODBC services.

All FUXA deployments, including those with secureEnabled=true, as guest tokens are auto-issued.

Upgrade to FUXA v1.3.2 or apply the recommended fix: add isSocketWriteAuthorized(socket) check, change io.emit to socket.emit, and validate property.address against an allowlist.