Only Administrative Users should be able to retreive the user Information of other users from the API.
When the username is known (or guessed) every user can get details about every user.
Make the user details only available for the user themself and the Admin.
When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.
This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.
The text was updated successfully, but these errors were encountered: