github.com/gophish/gophish is vulnerable to clickjacking. An authenticated administrator can be successfully tricked into clicking a “Reset” button in the settings page which will cause their API key to be reset, resulting in a denial of service to the application.