A medium-severity information disclosure vulnerability exists in calcom cal.diy versions up to 4.9.4. The vulnerability resides in the `getServerSideProps` function within `apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx`, where manipulation of the `cancelledBy` or `rescheduledBy` arguments can lead to unauthorized information disclosure. The attack vector is network-based, req [truncated]
A Server-Side Request Forgery (SSRF) vulnerability exists in the Logo API component of calcom cal.diy versions up to 4.9.4. The vulnerability resides in the `validateUrlForSSRF` function within `apps/web/app/api/logo/route.ts`. An attacker with low privileges can remotely manipulate this function to induce the server to make unauthorized requests to internal or external resources. The CVSS 4.0 vector indi [truncated]
