← Back

CVE-2024-12641

nvd nist
Published: Dec 16, 2024Modified: Jun 17, 2026

JSON object

Loading...
9.6
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 6.0
Source: twcert@cert.org.tw (Secondary)

Description

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.

Affected (1)

Cht
1 product
Tenderdoctransfer
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Tenderdoctransfer
From 0.41.151 to 0.41.157

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: twcert@cert.org.tw
Third Party Advisory
Source: twcert@cert.org.tw
Third Party Advisory

Timeline

No history available yet.