Description

- From any user account without authority go to /admin/users page to view employee information but can leak all employee names that 
  exist on the platform.

• The vulnerabilities occurred in the 3 features : delete, set active state, assign role in page /admin/users and /admin/groups/{group_number}/users/

Proof of Concept

   - Step 1 : From the admin account, go to /admin/users or /admin/groups/{group_number}/users/

   - Step 2 :  Choose any account and use 1 of 3 features: delete, set active state, assign role, you will be navigated to a path like this:
           + /admin/bulk/auth/user/delete/?next=%2Fadmin%2Fusers%2F&id=5 (with delete feature)
           + /admin/bulk/auth/user/assign_role/?next=%2Fadmin%2Fusers%2F&id=2 (with assign_role feature)
           +  /admin/bulk/auth/user/set_active_state/?next=%2Fadmin%2Fusers%2F&id=3 (with set_active_state feature)
            * Note : You need to change the value of parameter id to see other user information.
                           With more than 1 &id parameter you can view more user names at the same time (eg : /admin/bulk/auth/user/delete/? 
                           next=%2Fadmin%2Fusers%2F&id=5&id=6&id=4 The condition is that all 3 ids exist)

   - Step 3 : Use any account with the permissions I described in the description, then access the link and change the value of the id 
                    parameter, you can get the names of all users.
             * Note : To make it easiest, first test with an account without any permissions. Then give that account more permissions and check 
                            again

Impact

• Leak all names of users is an extremely dangerous step for attackers to carry out other forms of attacks such as :
  • Brute force login attack
  • Spear Phishing
  • Gathering more information
  • Personalized Attacks
  • and other types of dangerous attacks