Nextcloud: Possibility to force an admin to install recommended applications

Summary: Endpoint /nextcloud/index.php/core/apps/recommended is accessible via GET http method and doesn't check anti-csrf token. If an admin visits this endpoint in a browser the process of installation of recommended applications begins immediately. Steps To Reproduce: 1. an attacker creates a...