EBM Technologies RISWEB's specific URL path is not properly controlled by permission, allowing attackers to browse specific pages and query sensitive data without login.