Vulnerability Description
TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to write arbitrary files to any path on the user's system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cht | Tenderdoctransfer | >= 0.41.151, < 0.41.157 |
Related Weaknesses (CWE)
References
- https://www.twcert.org.tw/en/cp-139-8300-2eaa1-2.htmlThird Party Advisory
- https://www.twcert.org.tw/tw/cp-132-8294-44d13-1.htmlThird Party Advisory
FAQ
What is CVE-2024-12642?
CVE-2024-12642 is a vulnerability with a CVSS score of 8.1 (HIGH). TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to...
How severe is CVE-2024-12642?
CVE-2024-12642 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-12642?
Check the references section above for vendor advisories and patch information. Affected products include: Cht Tenderdoctransfer.