PYSEC-2020-156

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/webargs/PYSEC-2020-156.yaml
JSON Data
https://api.test.osv.dev/v1/vulns/PYSEC-2020-156
Aliases
Published
2020-01-29T15:15:00Z
Modified
2023-11-01T04:53:40.923879Z
Summary
[none]
Details

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

References

Affected packages

PyPI / webargs

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.5.3

Affected versions

5.*

5.0.0
5.1.0
5.1.1
5.1.1.post0
5.1.2
5.1.3
5.2.0
5.3.0
5.3.1
5.3.2
5.4.0
5.5.0
5.5.1
5.5.2