Description

An attacker is able to craft an URL with special parameters, what contains the theme switching command. Upon sending the malicious link to a logged-in administrator, the theme is being changed.

Proof of Concept

With an admin user, simply open the following URL (please replace the hostname):

https://<HOSTNAME_HERE>/admin/themes/switchto?theme=bootstrap-2

Within the default installation, there are 2 themes:

• plain
• bootstrap-2

Just simply replace the value with the theme name, and the selected will be activated.

Impact

Upon an administrator receives a link containing the change of the site's theme, can lead to bricking the site, because in the case of more complex themes, the mapping might not work properly