Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.
Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0