Data leak of registered users

Hi,

I discovered, that even with the smallest amount of user privileges (just enough to login) I am able to get name & email addresses of other available users.

I verified that in my live frappecloud account, where I was able to read 82 user data of frappe employees/users.

I accomplished this with with the search_link / search_widget service, which is used for value helps.

So at this point I don’t want to get deeper, as the problem is obviously still present.

Please tell me, who will be able to sort that out → I’ll send all details via DM.

I’m new here and am interested to follow what happens given this sort of report. Please keep this thread posted.