An issue exists in Aviatrix Controller prior to 5.4.1204. An API call on the web interface lacked a session token check to control access, leading to CSRF.
aviatrix controller