CVE-2020-12480

Published: Aug 17, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

Affected (3)

Products: Lightbend: Play Framework

Lightbend

1 product

Play Framework

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Lightbend Play Framework	From 2.6.0 to 2.6.25
Lightbend Play Framework	From 2.7.0 to 2.7.4
Lightbend Play Framework	From 2.8.0 to 2.8.1

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://www.playframework.com/security/vulnerability

Source: cve@mitre.org

Vendor Advisory

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Source: cve@mitre.org

Vendor Advisory

https://www.playframework.com/security/vulnerability

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.