Vulnerability in EPiServer.Forms
Clicking on a user name with a "+" in it in the Admin UI results in an empty Edit Detail page for the user.
The problem is that the userName parameter is not URL encoded before sending. Therefore, the controller receives a space character (" ") instead of a plus character ("+") in the action's parameter. Because the unescaped username does not match the user's name in the database, the user is not found and the blank detail page is presented.
Update: I can get to the Edit User detail page by substituting the url-encoded plus character in the hash portion of the url:https://localhost:44301/EPiServer/EPiServer.Cms.UI.Admin/default#/AccessRights/Users/UserDetailfirstname.lastname@example.org
I will file a bug for Commerce team to look into this. Thank you for bringing this into our attention