CVE-2020-7965: Cross-Site Request Forgery (CSRF)
(updated )
flaskparser.py
in Webargs does not check whether the Content-Type
header is application/json
when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded
. This allows for JSON POST requests to be made across domains, leading to CSRF.
References
Detect and mitigate CVE-2020-7965 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →