CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form)
GET /en/admin/teams/{id}/duplicate
GET /en/admin/project/{id}/duplicate
This vulnerability is capable of tricking admin users to duplicate teams
This is probably all the unprotected endpoints for duplicate action vulnerable to CSRF, there may be more, but this is what I have found while looking through the files.