A low-privilege user (I tested it with Editor
priv user) can create any role
in the application.
Make a POST request to /Admin/Roles/Create
using low-priv user’s cookie
and __RequestVerificationToken
A new role will be created with the specified name.
A low-priv user can create a number of roles which breaks the authorization principle of this application.