@SeanWrightSec I can still try a limited amount of credential stuffing, by embedding various cred combi's and using JS events and the like to see if any are successful.
Basically, the answer to your question is that CSRF vulns allow me to use you as a pivot 3/