In Play Framework 2.6.0 through 2.8.1, the CSRF filter can be bypassed by making CORS simple requests with content types that contain parameters that can’t be parsed.
github.com/playframework/playframework
github.com/playframework/playframework/commit/c82de44fc50b7c58c6e0580f1f67ff08aa7bd154
github.com/playframework/playframework/pull/10285
nvd.nist.gov/vuln/detail/CVE-2020-12480
www.playframework.com/security/vulnerability
www.playframework.com/security/vulnerability/CVE-2020-12480-CsrfBlacklistBypass