Reflected Cross-Site Scripting Vulnerability in Chunghwa Telecom's TenderDocTransfer
CVE-2024-12641

9.6CRITICAL

Key Information:

Vendor

Chunghwa Telecom

Status
Tenderdoctransfer
Vendor
CVE Published:
16 December 2024

What is CVE-2024-12641?

CVE-2024-12641 is a critical reflected cross-site scripting (XSS) vulnerability found in TenderDocTransfer by Chunghwa Telecom. This vulnerability arises from the application setting up a local web server that facilitates API communications with the target website, but unfortunately lacks proper Cross-Site Request Forgery (CSRF) protection for these APIs. As a result, unauthenticated remote attackers can exploit the flaw by using phishing techniques to manipulate and execute arbitrary JavaScript code in victim browsers. The use of Node.js capabilities within the local server enables attackers to escalate their access, potentially allowing them to run operating system commands remotely, creating a high-risk scenario for users. It is crucial for organizations using this software to implement security patches as recommended.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

TenderDocTransfer 0.41.151 <= 0.41.156

References

https://www.twcert.org.tw/tw/cp-132-8292-4fd98-1.html
third-party-advisory
https://www.twcert.org.tw/en/cp-139-8299-42168-2.html
third-party-advisory

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.