CVE-2020-7965

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-7965

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7965.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-7965

Aliases

Published

2020-01-29T15:15:11Z

Modified

2025-01-08T07:32:01.443829Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

References

https://webargs.readthedocs.io/en/latest/changelog.html

Affected packages

Git / github.com/marshmallow-code/webargs

Affected ranges

Type: GIT
Repo: https://github.com/marshmallow-code/webargs
Events: Introduced

cca430ebe55939a488ceda93a75bfe401228ecb5

Last affected

f1ae764973b6492e3c69109060c95240b7cc3d41

Affected versions

5.*

5.0.0

5.1.0

5.1.1

5.1.1.post0

5.1.2

5.1.3

5.2.0

5.2.2

5.3.0

5.3.1

5.3.2

5.4.0

5.5.0

5.5.1

5.5.2