An issue exists in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user.
redaxo redaxo cms 4.7.2