A medium-severity information disclosure vulnerability exists in calcom cal.diy versions up to 4.9.4. The vulnerability resides in the `getServerSideProps` function within `apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx`, where manipulation of the `cancelledBy` or `rescheduledBy` arguments can lead to unauthorized information disclosure. The attack vector is network-based, req [truncated]
A Server-Side Request Forgery (SSRF) vulnerability exists in the Logo API component of calcom cal.diy versions up to 4.9.4. The vulnerability resides in the `validateUrlForSSRF` function within `apps/web/app/api/logo/route.ts`. An attacker with low privileges can remotely manipulate this function to induce the server to make unauthorized requests to internal or external resources. The CVSS 4.0 vector indi [truncated]
Cross-site request forgery (CSRF) vulnerability in calcom cal.diy up to version 4.9.4. The vulnerability allows remote attackers to perform unauthorized actions via crafted requests. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, but user interaction is required. The confidentiality impact is none, integrity impact is low, and availability impact is [truncated]