From 0c38968c580dbc42e83159eb3adcb3e48e3b5613 Mon Sep 17 00:00:00 2001
From: Andy Miller <rhuk@mac.com>
Date: Sat, 29 Nov 2025 18:27:08 -0700
Subject: [PATCH] Fix email disclosure in user edit page title
 (GHSA-4cwq-j7jv-qmwg)

Security fix for IDOR-style information disclosure where the admin
email address was leaked in the <title> tag even on 403 Forbidden
responses.

The edit view title template previously included the email:
  {{ fullname ?? username }} <{{ email }}>

Now shows only the name/username without email:
  {{ fullname ?? username }}

This prevents low-privilege users from enumerating admin email
addresses by accessing /admin/accounts/users/{username} URLs.
---
 system/blueprints/flex/user-accounts.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/blueprints/flex/user-accounts.yaml b/system/blueprints/flex/user-accounts.yaml
index 74baeb623..5df1177bc 100644
--- a/system/blueprints/flex/user-accounts.yaml
+++ b/system/blueprints/flex/user-accounts.yaml
@@ -72,7 +72,7 @@ config:
     # Edit view
     edit:
       title:
-        template: "{{ form.value('fullname') ?? form.value('username') }} &lt;{{ form.value('email') }}&gt;"
+        template: "{{ form.value('fullname') ?? form.value('username') }}"
 
     # Configure view
     configure: