Impact

An authenticated low-privileged account, one that does belong to organisation,
can retrieve detailed profile information about another users in the same org users by directly invoking user.one.
The response discloses personally-identifiable information (PII) such as e-mail address,
role, two-factor status, organisation ID, and various account flags

Patches

The fix will be available in the v0.23.7