Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a password.
allen disk project allen disk 1.6