CVE-2025-13282
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13282, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-17

Last updated on: 2025-12-19

Assigner: TWCERT/CC

Description

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-17
Last Modified
2025-12-19
Generated
2026-07-06
AI Q&A
2025-11-17
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cht tenderdoctransfer to 0.41.159 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

TenderDocTransfer by Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application runs a local web server with APIs that lack CSRF protection, allowing unauthenticated remote attackers to exploit these APIs via phishing. One API has an Absolute Path Traversal flaw, enabling attackers to delete any file on the user's system.

Impact Analysis

This vulnerability can allow attackers to delete arbitrary files on your system without authentication, potentially leading to loss of important data, disruption of services, or system instability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart