CSRF Vulnerabilities in forms on SUCS site and arbitrary script/html injection
Banana awards allow arbitrary html (including script tags onto the page).
PROOF OF WORK:
Randomly generate a token when the page is loaded and make that part of the post request. If the wrong random string is submitted validation fails.
More details on prevention measures for this type of attack. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet