Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2017-7957 Vulnerability in maven package xstream:xstream

CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-namesrv

CVE-2018-1000195 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-41704 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge

CVE-2021-44878 Vulnerability in maven package org.pac4j:pac4j-core

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory