CWE-502 Deserialization of Untrusted Data
User’s cookie is stored in browser. Because we do not sign the cookie, the user is able to change it’s contents without server’s permission. If we change the last number to 50 or more, the user effectively elevated their permissions to administrator level.
