2020-01-29 14:33:16
mitre
PUBLISHED
flaskparser.py in Webargs 5.x through 5.5.2 doesnt check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.