/export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.
// PoC.html <html> <body> To verify that you are a human, upload the file that has been downloaded from our website now. <a href="https://demo.firefly-iii.org/export/export">Download Test File</a> </body> </html>
Potential private information leakage through phishing by exploiting missing CSRF token.