The attacker can use the incorrect
Content-Type to bypass the
Pre-Flight checking of
fetch() requests with Content-Type’s essence as "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", could potentially be used to invoke routes that only accepts
application/json content type, thus bypassing any CORS protection, and therefore they could lead to a Cross-Site Request Forgery attack.
4.x users, please update to at least
3.x users, please update to at least
Implement Cross-Site Request Forgery protection using
Check out the HackerOne report: https://hackerone.com/reports/1763832.