{"id":"CVE-2020-12480","details":"In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can't be parsed.","aliases":["GHSA-cf8j-64h9-6q58"],"modified":"2026-04-10T04:22:02.699221Z","published":"2020-08-17T21:15:11.523Z","references":[{"type":"ADVISORY","url":"https://www.playframework.com/security/vulnerability"},{"type":"ADVISORY","url":"https://www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/playframework/playframework","events":[{"introduced":"5e26adc275fb1d0b536ecb14fc5883f448d8b0f0"},{"last_affected":"350df36004a3e4e34ebc8b9543044696d3905761"},{"introduced":"ad7ed0c2c0e107a183d47885592044926b38a833"},{"last_affected":"448f70a989422a8a4910607b78e0517dcb144f2c"},{"introduced":"3c008185a851c26c8cf82ee46ddb0882086fce7b"},{"last_affected":"7d860b78d1b23fb80382c9e5f1d41ffaa5d222af"}],"database_specific":{"versions":[{"introduced":"2.6.0"},{"last_affected":"2.6.25"},{"introduced":"2.7.0"},{"last_affected":"2.7.4"},{"introduced":"2.8.0"},{"last_affected":"2.8.1"}]}}],"versions":["2.6.0","2.6.1","2.6.10","2.6.11","2.6.12","2.6.13","2.6.14","2.6.15","2.6.16","2.6.17","2.6.18","2.6.19","2.6.2","2.6.20","2.6.21","2.6.22","2.6.23","2.6.24","2.6.25","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.8.0","2.8.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12480.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}