Redmine before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.
Redmine before 4.2.3 may disclose the names of users on activity views due to an insufficient access filter.
https://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/35789 https://github.com/redmine/redmine/commit/3fd9787e43f7092490e7f0ce36900bbeafd4921b