this is critical because its a full access to PII information including emails for all customers in company database even its not in my tenant or Context
and i access it with low privilige a admin user with no access to any data for his tenant can access to all of thats

POC
1/ log in here https://admin.company.com/ as admin
2/ go to https://admin.company.com/user/details/linkedusers
3/ you can see in the burpsuit a url request to api
GET /api/rest/user/details/linkedUsers?start=0&limit=100 HTTP/1.1
Host: api.company.com
get the cookies from this request we will use theme in the next request or just replace (/user/details/linkedUsers?start=0&limit=100) with (/user/details/110?limit=50 HTTP/1.1)
3/ from this endpoint and using your cookie you can get user information including email addresse
for a user with id 110

GET /api/rest/userdetails/110?limit=50 HTTP/1.1
Host: api.company.com

now you can access to any user in company database
this is my id
1133224

i try it with some ids as POC
any hacker can enumerate full db in just 1 HOUR

and as a admin you can try this with other admin with no access ( with his cookie) to any thing in the company and stel have access to full company users info in db

Impact
PII CUSTOMERS INFORMATION DISCLOSURE

Platform : Intigriti
Timeline :
Reported: 10/02/2023
Triaged: 13/02/2023
Accepted & paid: 13/02/2023
Bounty: €3,000
https://app.intigriti.com/profile/merroun