The ApiRevisionUpdate module in CodeReview does not have any CSRF protection. The code says:
/**
- Variation of CodeRevisionCommiter for use in the API. Removes the post and token checking from validPost
- API can/will do the POST checking (and token?) */
No, it does not do token checking. ApiBase::needsToken() and ApiBase::getTokenSalt() must be overridden, which they aren't.
Version: unspecified
Severity: normal