The author decided to probe the endpoint further and discovered that it reflected CSS themes configured by the user.
They then used a common security technique, “parameter tampering,” wherein the attacker manipulates parameters in an effort to achieve an insecure outcome, to test whether the endpoint was vulnerable to cross-site scripting (XSS).
To do this, the author inserted a malicious script into the user-defined theme parameter and accessed the endpoint, which spontaneously reflected the malicious script.
This could give an attacker the ability to run any script they wanted, constrained solely by the permissions of the user accessing the endpoint.
While testing this out, the author found that the target organization had little to no constraints on the permissions of this user, making this vulnerability particularly dangerous.