The problem here is related to identity and permissions. As the official definition states:
"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities."
This is even worse when the false authenticated users are remote (the typical case) and therefore difficult to track.
The problems here are multiple: