CVE-2021-41074 CSRF in Qloapps HotelCommerce 1.5.1 There is a CSRF in HotelCommerce 1.5.1. It can allow anyone to change the admin email. If an attacker gets an admin to click a maliciously crafted html document, they can change the admin user email.