The attacker can easily reuse the view state obtained making legal access to the page to build a bogus request on behalf of another user.