atmail prior to 7.8.0.2 has CSRF, allowing an malicious user to change the SMTP hostname and hijack all emails.
atmail atmail