Harmoni before 1.6.0 does not require administrative privileges to list (1) user names or (2) asset ids, which allows remote attackers to obtain sensitive information.

More... (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3717)