Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2019-17558 Vulnerability in maven package org.apache.solr:solr-velocity

CVE-2023-35158 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-skin-resources

CVE-2021-21141 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-45399 Vulnerability in maven package org.zeroturnaround:cluster-stats

CVE-2017-8045 Vulnerability in maven package org.springframework.amqp:spring-amqp

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory