rdiffweb is vulnerable to cross-site request forgery. The vulnerability exists in render_prefs_panel
function in pref_notification.py
because the server accepts the GET request that is sent to modify repository notifications settings which allows an attacker to disable the notifications sent to users’ email causing a CSRF attack.