Given some pre-conditions, it is possible to bypass CSRF protections on all pages. Most significantly, this includes the ability to add new admin users. It’s not “strictly” Cross-Site Request Forgery, since the attack must come from the same site (but different origin), but given the preconditions, it has the same effect.

An attacker with the pre-conditions below could create a new admin account, thus compromise all data stored on the Fisheye / Crucible server.