Drone Nextcloud

Greetings, On drone : https://drone.nextcloud.com We observe this : ---- {F152818} I noticed that it's possible to alter the url to write what you want : ---- https://drone.nextcloud.com/rbcafe/settings/settings/badges {F152817} In fact it could be anything : ---- https://drone.nextcloud.com/lonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnlonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn/settings/settings/badges {F152819} The default value of the url can be extracted with a google-dorking on drone.nextcloud.com : inurl:drone.nextcloud.com - https://drone.nextcloud.com/nextcloud/updater - https://drone.nextcloud.com/nextcloud/server/settings/badges Using this we can find new data : ------------------------------- https://drone.nextcloud.com/nextcloud/server/ {F152820} https://drone.nextcloud.com/nextcloud/server/4182/1 {F152821} Buttons Follow and restart are fully clickable, but there is no purpose because, I'm not logged In. Regarding the screenshot in the first observation (F152818), pages should be blocked and remains protected if the login is not valid. The paths should also remains protected from indexation. Best regards @Rbcafe