The API on Winston 1.5.4 devices is vulnerable to CSRF. Read more