Using a specially crafted login link such as:
user/reset/USER_ID/ABC/ABC/login
Users are able to create a large number of requests to view all the users registered on the target site, provided they are logged in. I can think of many use cases where this would be undesirable, eg finding out a list of a companies clients.
The user does not need permission to view any information about users and the following message is displayed:
Another user (LOGGED IN USER) is already logged into the site on this computer, but you tried to use a one-time link for user TARGET USER. Please logout and try using the link again.
I believe this should be fixed as soon as possible.