Can enable/disable birthday calendar for any user

None...

Server-Side Request Forgery (SSRF) in Mail app

None...

Admins can change authentication details of user configured external storage

None...

Password of talk conversations can be bruteforced

None...

Improper restriction of excessive authentication attempts on WebDAV endpoint

None...

Users can delete external storage mount points

None...

Notes attachment render HTML in preview mode

None...

user_oidc app stores client secret unencrypted in database

None...

Issuer not verified from obtained token in user_oidc

None...

Advanced permissions not respected when copying entire group folders

None...

User scoped external storage can be used to gather credentials of other users

None...

System addressbooks can be modified by malicious trusted server

None...

Password reset endpoint is not brute force protected

None...

Open redirect on "Unsupported browser" warning

None...

End-to-End encrypted file-drops can be made inaccessible

None...

Blind SSRF in the Mail app on avatar endpoint

None...

Contacts - PHOTO svg only sanitized if mime type is all lower case

None...

User session not correctly destroyed on logout

None...

user_oidc app is missing bruteforce protection

None...

Users can set up workflows using restricted and invisible system tags

None...