CVE-2020-12480: Cross-Site Request Forgery (CSRF)

August 18, 2020 (updated September 23, 2021)

In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can’t be parsed.

References

github.com/advisories/GHSA-cf8j-64h9-6q58
github.com/playframework/playframework/commit/c82de44fc50b7c58c6e0580f1f67ff08aa7bd154
github.com/playframework/playframework/pull/10285
nvd.nist.gov/vuln/detail/CVE-2020-12480

Code Behaviors & Features

Detect and mitigate CVE-2020-12480 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →