Hello all,
We just released a change (patches are attached to this email) for a security vulnerability within account search using email. See the email attachments for a patch for edx-platform master branch and for open-release/maple.master branch.
Without this patch, it is possible to search for account info including username by using the email of a learner. Our fix disallows searching using email by regular users and restricts this feature to only staff and superusers.
We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches.
If you have any questions, feel free to reach out to me.
Thanks,
Ali Akbar
edX Incident Management