Detected a method annotated with ‘RequestMapping’ that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the ‘method’ field and specify the HTTP method (such as ‘RequestMethod.POST’). Likelihood: LOW Confidence: LOW CWE: - CWE-352: Cross-Site Request Forgery (CSRF)
OWASP: - A01:2021 - Broken Access Control