The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atl_token submitted is in fact legitimate for the user submitting it (you can put in any value for the token field).

To access this screen you can go to a url similar to the following ( it is linked off the issue custom fields administration page (/secure/admin/ViewCustomFields.jspa) ):

http://$host/secure/admin/EditCustomFieldOptions!default.jspa?fieldConfigSchemeId=10300&fieldConfigId=10300&customFieldId=10200&returnUrl=ConfigureCustomField!default.jspa%3FcustomFieldId%3D10200