2 matches found
CVE-2025-13282
TenderDocTransfer (Chunghwa Telecom) exposes a combination of flaws: (1) an Absolute Path Traversal within one API that could allow deletion of arbitrary files on the user’s system, and (2) APIs with no CSRF protection, enabling unauthenticated remote attackers to trigger actions via phishing. Th...
CVE-2025-13283
TenderDocTransfer by Chunghwa Telecom exposes a CSRF-protected API surface and an Absolute Path Traversal flaw. The application runs a local web server with APIs that, due to lack of CSRF protection, can be abused by unauthenticated remote attackers via phishing. One API also permits Absolute Pat...