Arbitrary File Copy and Path Traversal in TenderDocTransfer by Chunghwa Telecom
CVE-2025-13283

7HIGH

Key Information:

Vendor: Chunghwa Telecom
Status: Tenderdoctransfer
Vendor: CVE Published:; 17 November 2025

🔔 Create Chunghwa Telecom Vulnerability Alert

What is CVE-2025-13283?

TenderDocTransfer, a product developed by Chunghwa Telecom, is susceptible to an Arbitrary File Copy and Path Traversal vulnerability. The application operates a local web server and offers APIs for interaction with target websites. However, these APIs lack adequate CSRF protection, allowing unauthenticated remote attackers to exploit them, potentially through phishing schemes. Additionally, the API's Absolute Path Traversal flaw enables attackers to copy arbitrary files from the user's system to any desired location, which can lead to information leakage or excessive hard drive consumption due to large file transfers.

Affected Version(s)

TenderDocTransfer 0 < 0.41.159

References

https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html

third-party-advisory

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 17, 2025
Vulnerability Reserved
Nov 17, 2025

JSON