In Joomla! prior to 3.9.19, missing token checks in com_postinstall lead to CSRF.
joomla joomla\\! 3.7.0
joomla joomla\\!