Fix email disclosure in user edit page title (GHSA-4cwq-j7jv-qmwg)

Security fix for IDOR-style information disclosure where the admin email address was leaked in the <title> tag even on 403 Forbidden responses. The edit view title template previously included the email: {{ fullname ?? username }} <{{ email }}> Now shows only the name/username without email: {{ fullname ?? username }} This prevents low-privilege users from enumerating admin email addresses by accessing /admin/accounts/users/{username} URLs.
2026-05-09 02:37:29 +02:00 · 2025-11-29 18:27:08 -07:00
parent 9d11094e41
commit 0c38968c58
1 changed files with 1 additions and 1 deletions
--- a/system/blueprints/flex/user-accounts.yaml
+++ b/system/blueprints/flex/user-accounts.yaml
@@ -72,7 +72,7 @@ config:
    # Edit view
    edit:
      title:
-        template: "{{ form.value('fullname') ?? form.value('username') }} &lt;{{ form.value('email') }}&gt;"
+        template: "{{ form.value('fullname') ?? form.value('username') }}"

    # Configure view
    configure: