Chunghwa Telecom TenderDocTransfer Arbitrary File Copy and Paste Vulnerability

An arbitrary file copy and paste vulnerability has been identified in TenderDocTransfer, a file transfer application developed by Chunghwa Telecom, prior to version 0.41.159. The vulnerability arises from the application's local web server, which lacks Cross-Site Request Forgery (CSRF) protection in its APIs. This oversight allows unauthenticated remote attackers to exploit the APIs, potentially through phishing attacks. Additionally, one of the APIs is vulnerable to absolute path traversal, enabling attackers to copy arbitrary files from the user's system and paste them into any location. This could lead to information leakage or excessive hard drive space consumption by copying large volumes of files.

Impact

Exploitation of this vulnerability allows for arbitrary file copying from the user's system, with the potential to paste the copied files into any location. This could result in unauthorized information access or excessive use of hard drive space.

Remediation

Users are advised to update TenderDocTransfer to version 0.41.159 or later.