CiviCRM uses AJAX callbacks to provide advisory details while completing certain forms. For example, when registering a new user through a profile form, CiviCRM issues an AJAX request to determine whether the username is available.
Some AJAX callbacks did not test for authorization, enabling untrusted parties to:
- Determine whether a username was in-use
- Determine the primary email address for a given contact ID
- Determine the list of available options in certain custom-field