An attacker is able to exploit features of the target that should be
						reserved for privileged users or administrators but are exposed to use by
						lower or non-privileged accounts. Access to sensitive information and
						functionality must be controlled to ensure that only authorized users are
						able to access these resources. If access control mechanisms are absent or
						misconfigured, a user may be able to access resources that are intended only
						for higher level users. An attacker may be able to exploit this to utilize a
						less trusted account to gain information and perform activities reserved for
						more trusted accounts. This attack differs from privilege escalation and
						other privilege stealing attacks in that the attacker never actually
						escalates their privileges but instead is able to use a lesser degree of
						privilege to access resources that should be (but are not) reserved for
						higher privilege accounts. Likewise, the attacker does not exploit trust or
						subvert systems - all control functionality is working as configured but the
						configuration does not adequately protect sensitive resources at an
						appropriate level.