Personal information can be leaked by omitting capture token in mailing
I've tested this on 5.0. I don't see any changelog entry that would make this not happen in newer versions.
I'm sure there is a more minimal repro if I understood the root cause.
Repro:
Create a group with 3 contacts, I'll call them contact1 contact2 contact3.
Do a mailing to that group, where the html and plain text email version is this:
{capture assign=addressee}{contact.addressee}{/capture}
Dear {if $addressee }{ $addressee }{else}Supporter{/if},
{domain.address}
{action.optOutUrl}
Have contact3 opt out using the link in the email.
Reuse that mailing to create a new one. Name it different, and change just the text version of the email to be this:
Dear {if $addressee }{ $addressee }{else}Supporter{/if},
{domain.address}
{action.optOutUrl}
Expected result:
Text version of second email says "Dear Supporter" to two contacts.
Actual result:
contact1 gets an email saying "Dear Supporter". contact2 gets an email saying "Dear contact1".
Now contact1's name and the fact that they are on this list has been revealed to contact2. This is private information which should not have been revealed to contact2.
This should be considered a very high priority issue, because in a larger group, almost all contacts would receive the private information of someone other than themselves, which is a serious data breach / privacy problem.
If this bug is confirmed, as part of the fix I recommend creating a tool which can analyze civi users past mailings to see if any of them were affected by this bug.