A hardcoded AES key in CipherUtils.java in the Java applet of konzept-ix publiXone before 2020.015 allows attackers to craft password-reset tokens or decrypt server-side configuration files.
PubliXone version 2019.045 suffers from cross site scripting, account takeover, missing access control, hardcoded keys, and file download vulnerabilities.