Uber: [manage.jumpbikes.com] Blind XSS on Jump admin panel via user name

By setting a user's name to an XSS payload, a user was able to inject JavaScript which was executed on the administrative panel for Jump bikes, allowing complete compromise of the panel, exposing user activity, personal information and billing information...

Cloudflare: CSRF and No password requirement in this URL Billing Info

An attacker can launch requests on his victim's behalf on the billing info page. There is a requirement of CSRF token on this page https://www.cloudflare.com/billing-information Awaiting your reply...