Primary

Context

Chunghwa Telecom TenderDocTransfer Arbitrary File Deletion Vulnerability

Vulnerability

An arbitrary file deletion vulnerability has been identified in TenderDocTransfer, a file transfer application developed by Chunghwa Telecom, prior to version 0.41.159. The vulnerability arises from the application's local web server, which exposes APIs for communication with target websites. These APIs lack Cross-Site Request Forgery (CSRF) protection, allowing unauthenticated remote attackers to exploit them, potentially through phishing. One of the APIs is vulnerable to absolute path traversal, enabling attackers to delete arbitrary files from the user's system.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of files on the user's system.

Remediation

Users are advised to update TenderDocTransfer to version 0.41.159 or later.

Added: Nov 17, 2025, 4:18 AM

Updated: Nov 17, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Chunghwa Telecom TenderDocTransfer Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating