LDAP directory users and groups exposed via the /users/userpicker.action.

There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior.

The second exposed function that is part of this vulnerability is /spaces/opengrouppicker.action which can be accessed by anonymous users for internal directory browsing.