The system's authorization functionality does not prevent one
					user from gaining access to another user's data or record by modifying the key
					value identifying the data.Retrieval of a user record occurs in the system based on some key value
						that is under user control. The key would typically identify a user related
						record stored in the system and would be used to lookup that record for
						presentation to the user. It is likely that an attacker would have to be an
						authenticated user in the system. However, the authorization process would
						not properly check the data access operation to ensure that the
						authenticated user performing the operation has sufficient entitlements to
						perform the requested data access, hence bypassing any other authorization
						checks present in the system. One manifestation of this weakness would be if
						a system used sequential or otherwise easily guessable session ids that
						would allow one user to easily switch to another user's session and
						read/modify their data.