Arbitrary File Deletion Issue in TenderDocTransfer by Chunghwa Telecom
CVE-2025-13282

7HIGH

Key Information:

Vendor

Chunghwa Telecom

Status
Tenderdoctransfer
Vendor
CVE Published:
17 November 2025

What is CVE-2025-13282?

The TenderDocTransfer application developed by Chunghwa Telecom has a critical security flaw involving Arbitrary File Deletion. The application features a local web server that enables APIs for interaction with remote websites. However, it is exposed to risks due to the absence of Cross-Site Request Forgery (CSRF) protection, facilitating unauthorized access through phishing attacks. Additionally, an Absolute Path Traversal vulnerability in one of the APIs allows attackers to delete any file on the user's system, significantly compromising user data and security.

Affected Version(s)

TenderDocTransfer 0 < 0.41.159

References

https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html
third-party-advisory
https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-13282 : Arbitrary File Deletion Issue in TenderDocTransfer by Chunghwa Telecom