Please use following steps to address CSRF attack
1. Login into /admin
2. Navigate to /admin?action=list&path=/SYSTEM/conf
3. Edit the properties file to change following values
<Property name="cmsConfig.enableRefererCheck" value="yes" />
<Property name="cmsConfig.clickjacking.security.enabled" value="true" />
<Property name="cmsConfig.clickjacking.security.frameoptions.default" value="SAMEORIGIN" />
4. Save the file and republish the file (click the green arrow)
5. As a quick test to see if the referer check is working correctly, you should not be able to navigate by cutting and pasting into the url bar (for example, if you're at /admin?action=home then you can't cut and paste to get to /admin?action=list&path=/resources)
The 403 forbidden message would be shown.