With address book access, SMB/FTP settings could be modified, redirecting scans and possibly capturing credentials. This requires enabled scan functions and printer access.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.