CVE-2020-7965

CVE-2020-7965

flaskparser.py in Webargs 5.x through 5.5.2 doesn’t check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

Source: CVE-2020-7965

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다