Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the password parameter to admin.php in an a=config action.
hashtopus project hashtopus 1.5g