Kolibri SSRF via unvalidated baseurl parameter in multiple API endpoints

Multiple Kolibri API endpoints accepted an unvalidated `baseurl` parameter, allowing server-side request forgery (SSRF) and response reflection. Affected endpoints: GET /api/auth/remotefacilityuser (unauthenticated), POST /api/auth/remotefacilityauthenticateduserinfo, POST /api/public/setupwizard/loddata (unprovisioned devices), GET /api/public/networklocation/<id>/facilities/ (authenticated). Root cause: response reflection and no restriction on remote target. Mitigation: response sanitization, authentication, cross-host redirect blocking, peer allowlisting.

All Kolibri server instances exposing these API endpoints. Unauthenticated attackers can force outbound HTTP requests to arbitrary hosts, potentially accessing internal services or cloud metadata.

Update Kolibri to the latest patched version with the four-layer mitigation. If immediate update is not possible, restrict network access to the Kolibri server and monitor for unusual outbound requests.