Impact
An authenticated Control Panel user could use an endpoint intended for the user creation wizard to determine if a given email address belongs to an existing user, without having permission to view users.
The endpoint only exposed user existence, not any of its data.
Patches
This has been fixed in 5.74.1 and 6.24.0.
Impact
An authenticated Control Panel user could use an endpoint intended for the user creation wizard to determine if a given email address belongs to an existing user, without having permission to view users.
The endpoint only exposed user existence, not any of its data.
Patches
This has been fixed in 5.74.1 and 6.24.0.