4 matches found
CVE-2024-12641
The CVE-2024-12641 entry describes TenderDocTransfer by Chunghwa Telecom as vulnerable to Reflected Cross-site Scripting due to missing CSRF protection on API endpoints. Unauthenticated remote attackers could use specific APIs via phishing to inject and execute arbitrary JavaScript in a user’s br...
CVE-2024-12642
TenderDocTransfer from Chunghwa Telecom is affected by an Arbitrary File Write vulnerability, with a Relative Path Traversal in one API. The issue arises from CSRF protection gaps allowing unauthenticated remote attackers to abuse APIs (e.g., via phishing) and write arbitrary files to paths on a ...
CVE-2025-13282
TenderDocTransfer (Chunghwa Telecom) exposes a combination of flaws: (1) an Absolute Path Traversal within one API that could allow deletion of arbitrary files on the user’s system, and (2) APIs with no CSRF protection, enabling unauthenticated remote attackers to trigger actions via phishing. Th...
CVE-2025-13283
TenderDocTransfer by Chunghwa Telecom exposes a CSRF-protected API surface and an Absolute Path Traversal flaw. The application runs a local web server with APIs that, due to lack of CSRF protection, can be abused by unauthenticated remote attackers via phishing. One API also permits Absolute Pat...