{"id":"PYSEC-2020-156","details":"flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.","aliases":["CVE-2020-7965","GHSA-fjq3-5pxw-4wj4"],"modified":"2023-11-01T04:53:40.923879Z","published":"2020-01-29T15:15:00Z","references":[{"type":"WEB","url":"https://webargs.readthedocs.io/en/latest/changelog.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fjq3-5pxw-4wj4"}],"affected":[{"package":{"name":"webargs","ecosystem":"PyPI","purl":"pkg:pypi/webargs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.0.0"},{"fixed":"5.5.3"}]}],"versions":["5.0.0","5.1.0","5.1.1","5.1.1.post0","5.1.2","5.1.3","5.2.0","5.3.0","5.3.1","5.3.2","5.4.0","5.5.0","5.5.1","5.5.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/webargs/PYSEC-2020-156.yaml"}}],"schema_version":"1.7.3"}