CVE-2024-12642

Published: Dec 16, 2024Modified: Jun 17, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: twcert@cert.org.tw (Secondary)

Description

TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to write arbitrary files to any path on the user's system.

Affected (1)

Products: Cht: Tenderdoctransfer

1 product

Tenderdoctransfer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cht Tenderdoctransfer	From 0.41.151 to 0.41.157

Related CWEs

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://www.twcert.org.tw/en/cp-139-8300-2eaa1-2.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-8294-44d13-1.html

Source: twcert@cert.org.tw

Third Party Advisory

Timeline

No history available yet.