The vulnerability is an Insecure Direct Object Reference (IDOR) in the Grav CMS Admin Panel, which allows low-privilege users to obtain sensitive information, specifically the email addresses of other users. When a non-privileged user attempts to access another user's account page, they receive a 403 Forbidden response. However, the email address of the targeted user is leaked in the <title> tag of the HTML response.

The investigation of the provided patch commit b7e1958a6e807ac14919447b60e5204a2ea77f62 reveals a change in the system/blueprints/flex/user-accounts.yaml file. The template for the page title was modified to remove the user's email address:

-        template: "{{ form.value('fullname') ?? form.value('username') }} <{{ form.value('email') }}>"
+        template: "{{ form.value('fullname') ?? form.value('username') }}"

This change directly addresses the information leak. While the patch is in a YAML configuration file, the actual vulnerability resides in the PHP code that utilizes this template. The vulnerability description provides a crucial hint by referencing system/src/Grav/Common/Flex/Types/Users/UserCollection.php and including a screenshot that suggests a render method. It is highly probable that the render method within the UserCollection class is responsible for fetching user data and rendering the account page. This method uses the aforementioned template to construct the page title. The vulnerability occurs because the user's data is fetched and the title is rendered even when the authorization check fails, leading to the information disclosure on the 403 error page. Therefore, UserCollection.render is the key function that would be active during the exploitation of this vulnerability and would appear in a runtime profile.