Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Remediation

References

https://www.playframework.com/security/vulnerability

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Related Vulnerabilities

CVE-2023-34036 Vulnerability in maven package org.springframework.hateoas:spring-hateoas

CVE-2016-4436 Vulnerability in maven package org.apache.struts:struts2-rest-plugin

CVE-2018-8041 Vulnerability in maven package org.apache.camel:camel-mail

CVE-2020-27217 Vulnerability in maven package org.eclipse.hono:hono-bom

CVE-2020-1960 Vulnerability in maven package org.apache.flink:flink-metrics-jmx

Severity

High

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Vendor Advisory