Not really a security flaw per se. The certificates contain the public key for the individual. That should not be a security risk. The whole idea of public keys is that they can be public.
I think the issue is that it exposes your user list which allows for phishing attempts.
For myself, I think that any directory server should not be accessible from outside your organization. If you are setting up users on Zeroshell then you are using it as a directory server and the home screen on it should not be accessible from outside your organization.
Inside your organization having your users visible should not be too big an issue.