1. While editing a template we have total access to the User and UserModel classes via $user
2. One of the UserModel methods is called setUserId
3. If we call setUserId and pass "system" as parameter we get access to the system user role
4. To exploit this flaw we need a user with the following permissions/role:
   • Active; Back-end User
   • Back-end Users need the following permissions:
     • View: Sites, Pages, Templates
     • Edit: Templates

• Limit Access to Template Screen to Administrative Users
• Upgrade to fix version

https://huntr.dev/bounties/5db6c499-a4da-4628-a999-50af4681e1aa/