CVE-2020-7965

Name of the Vulnerable Software and Affected Versions Webargs versions 5.x through 5.5.2

Description The issue arises from the failure to verify the Content-Type header as application/json when receiving JSON input. This allows the software to accept valid JSON requests even if the content type is specified as application/x-www-form-urlencoded, enabling JSON POST requests to be made across domains and leading to Cross-Site Request Forgery (CSRF) attacks.

Recommendations For versions 5.x through 5.5.2, consider updating to a version that includes a fix for this issue, as the current version does not properly validate the Content-Type header for JSON input. As a temporary workaround, consider restricting access to JSON endpoints to minimize the risk of CSRF attacks until a patch is available.