@Abss0x7tbh discovered that the route responsible for opting users out of further invites from an organization was vulnerable to CSRF. In order to exploit this, an attacker would need to know the name of the organization and make the request after the invite is created but before the victim accepts or declines it. We addressed the vulnerability by changing all opt-out related controller actions to only allow POST requests, which require valid CSRF tokens.