phpATM versions 1.32 and below suffers from cross site request forgery and path disclosure vulnerabilities.