regarding "acting as a logged in user"
As in most CSRF bugs, the victim user must be logged-in when the attack occurs. This also applies to this GroupWise CSRF vuln. Notice that the victim user would be logged-in when the "evil" email is viewed via GroupWise WebAccess, thus this attack is practical. This is the very reason why cross-site vulnerabilities (XSS/CSRF) on webmail portals are considered serious: the victim user is *logged-in* when an email is viewed.
Hope this makes sense.