rdiffweb prior to 2.4.6 is vulnerable to cross-site request forgery on the repository settings. A malicious user can change the settings of a repository by sending a URL to the victim. This issue is fixed in version 2.4.6.