public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtaining admin privileges.
ladybirdweb faveo helpdesk 1.9.3