CSRF to ATO at https://█████/user/account [HtUS]

hello dod security team today while i was doing pentest on your scope i came across https://████████/user/account so i register and after that tried to edit my data and the data was in json request so i simple change content-type to content-type application/x-www-form-urlencoded and the data was change and in the next step i create html file to edit users data with 0 click which allow me to change victim email and leads to account takeover check my html poc file and video ## Impact account takeover