TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.
Metrics
Affected Vendors & Products
References
History
Mon, 16 Dec 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Mon, 16 Dec 2024 06:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands. | |
Title | Chunghwa Telecom TenderDocTransfer - Reflected Cross-site Scripting to RCE | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: twcert
Published: 2024-12-16T06:14:09.779Z
Updated: 2024-12-16T16:44:08.298Z
Reserved: 2024-12-16T01:39:20.993Z
Link: CVE-2024-12641
Vulnrichment
Updated: 2024-12-16T16:44:04.254Z
NVD
Status : Received
Published: 2024-12-16T07:15:05.787
Modified: 2024-12-16T07:15:05.787
Link: CVE-2024-12641
Redhat
No data.