With XSRF, the malicious party will attempt to send a request to the target application without the victim's knowledge. For example, the malicious party might have a website at malicious.com, and contains an img tag with the following definition:
<img src="http://target.app/change-password/?newPassword=foobar">
Now, when the victim visits malicious.com, their browser will send a GET request to http://target.app/change-password/?newPassword=foobar, along with any cookies for that domain. Therefore, if the user is already authenticated in another browser tab, then this GET request would be received as if it was initiated by the user.