Vulnerability Description
TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cht | Tenderdoctransfer | >= 0.41.151, < 0.41.157 |
Related Weaknesses (CWE)
References
- https://www.twcert.org.tw/en/cp-139-8299-42168-2.htmlThird Party Advisory
- https://www.twcert.org.tw/tw/cp-132-8292-4fd98-1.htmlThird Party Advisory
FAQ
What is CVE-2024-12641?
CVE-2024-12641 is a vulnerability with a CVSS score of 9.6 (CRITICAL). TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target websit...
How severe is CVE-2024-12641?
CVE-2024-12641 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-12641?
Check the references section above for vendor advisories and patch information. Affected products include: Cht Tenderdoctransfer.