CVE-2020-12480

EUVD-2020-0613
In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
lightbendplay_framework
2.6.0 ≤
𝑥
≤ 2.6.25
lightbendplay_framework
2.7.0 ≤
𝑥
≤ 2.7.4
lightbendplay_framework
2.8.0 ≤
𝑥
≤ 2.8.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.playframework.com/security/vulnerability
https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass
https://www.playframework.com/security/vulnerability
https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass