CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection

EdgeOS version `1.9.1` and prior, the researcher was able to bypass the CSRF protection. An attacker with access to an operator (read-only) account, can lure an admin (root) user to access the attacker controlled page, doing so will allow the attacker to gain admin privileges in the system.