Cross-Site Request Forgery (CSRF) arises because of a problem with how browsers treat cross origin requests. Attackers can fake any user-supplied input on a site and make it indistinguishable from a user doing it themselves. In our pen test attack we created a new page, and stole administrative credentials from the site, using some unorthodox HTML. The risk of this type of attack is that an attacker isn’t breaking it at all! They need to assign a login button to the function to the button on ‘/admin’ that grabs the value of the username and password.
Source: https://www.helpnetsecurity.com/2021/03/23/csrf-on-company-websites/