Yep, another day of testing Drupal code, and today I found user-enumeration bug.
Drupal seems to be vulnerable to user enumeration but this vulnerability is dedicated to logged-in users only:)
If You want to check it at Your installation, let me know ... ;)
Just like it was with Wordpress bugs.
I will present more technical details in April.
Maybe this one today: