I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page
1. Go to https://demo.froxlor.org/ and login as any user. ie. admin
2. Now open https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption&columns%5Bhost%5D=host&columns%5Bport%5D=port
3. Then go to https://demo.froxlor.org/admin_admins.php?page=admins
4. You can see the updated columns
5. Then change the column name to unknown ie; https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption123
6. Then go to https://demo.froxlor.org/admin_admins.php?page=admins and you can see the errors only and due to frontend content changed user difficult to access the function in current page
Video POC: https://drive.google.com/file/d/1-_i7XDSiBIjVIZvZgiCrnh4F9Hjg6GH7/view?usp=share_link