CVE-2020-12480

MEDIUM

Play Framework 2.6.0-2.8.1 - Cross-Site Request Forgery Bypass via Unparseable Content-Type Parameters

Title source: llm
STIX 2.1

Description

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0053
EPSS Percentile 40.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE
CWE-352
Status published
Products (2)
com.typesafe.play/play_2.12 0 - 2.7.5Maven
lightbend/play_framework 2.6.0 - 2.6.25
Published Aug 17, 2020
Tracked Since Feb 18, 2026