Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2015-5171 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-common

CVE-2016-2175 Vulnerability in maven package org.apache.pdfbox:preflight-app

CVE-2022-24785 Vulnerability in npm package moment

CVE-2015-7501 Vulnerability in maven package org.apache.commons:commons-collections4

CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory