TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.
History

Mon, 16 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 16 Dec 2024 06:30:00 +0000

Type Values Removed Values Added
Description TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.
Title Chunghwa Telecom TenderDocTransfer - Reflected Cross-site Scripting to RCE
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-12-16T06:14:09.779Z

Updated: 2024-12-16T16:44:08.298Z

Reserved: 2024-12-16T01:39:20.993Z

Link: CVE-2024-12641

cve-icon Vulnrichment

Updated: 2024-12-16T16:44:04.254Z

cve-icon NVD

Status : Received

Published: 2024-12-16T07:15:05.787

Modified: 2024-12-16T07:15:05.787

Link: CVE-2024-12641

cve-icon Redhat

No data.