The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.