The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources.
Quote from the CVSS specification
Vulnerabilities with this tag were given a CVSS rating as part of the requirement to be included into the National Vulnerability Database. You can learn more about what the individual scores mean in the CVSS specification document.
The Vulnerability History Project