The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator.
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02
https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02