An issue exists in Bloomreach Experience Manager (brXM) 4.1.0 up to and including 14.2.2. It allows CSRF if the attacker uses GET where POST was intended.
bloomreach experience manager