The "Schedule Jobs" page was vulnerable to a cross-site request forgery. If an administrative user visited a malicious page outside of CiviCRM, the malicious page could trick that user's browser into executing a job on the CiviCRM site.
CiviCRM version 5.24.2 and earlier
CiviCRM version 5.24.3 and 5.21.3
Upgrade to the latest version of CiviCRM
Mark Burdett (Electronic Frontier Foundation) for reporting the issue.
Seamus Lee (JMA Consulting/CiviCRM), Rich Lott (Artful Robot), Patrick Figel (Greenpeace CEE), and Sean Madsen (Left Join Labs) for resolving the issue.