rep1 (https://exness.com)
CSRF-token leak
Description
On your subdomain found csrf-token generator with access without authorization by url: https://stage.exness.com/get_csrf/
Similar thing available on your main domain: https://www.exness.com/get_csrf/
Impact
Leaked CSRF-token reveals many opportunities to forgery cross site requests.
For additional info see: https://cwe.mitre.org/data/definitions/352.html
Recommendation: add relevant auth check to this method.