Summary:
The ██████████ website allows access to PII of all site users via faulty access control to the /██████ endpoint.
Restrict access to the /██████████ module to only administrative users.
An adversary can gain access to PII of all ███████ users.