Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic

None...

Nextcloud: Stored XSS on new Calling plugin (spreed)

There's a stored xss vulnerability .... Proof Of Concept : =============== 1. Set name as an xss payload like "x. F143238 2. Invite people to single call room. 3. Xss will execute in IE. It doesn't support CSP F143237 Impact : ======== Admin user can be xssed via this method if admin uses browser...