CVE-2017-9517by Jeremyin Security Bulletinson Posted on June 8, 2017 atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and import users via CSV.