An improper authorization vulnerability exists where an authenticated, low privileged remote attacker could view a list of all the users available in the application.
tenable nessus