atmail prior to 7.8.0.2 has CSRF, allowing an malicious user to upload and import users via CSV.
atmail atmail