The UserTakeOver plugin prior to 4.0.1 for ILIAS allows an malicious user to list all users via the search function.
sr.solutions usertakeover