CVE-2024-12641
📋 TL;DR
TenderDocTransfer from Chunghwa Telecom has a reflected cross-site scripting (XSS) vulnerability combined with missing CSRF protection. Unauthenticated attackers can use phishing to execute arbitrary JavaScript in users' browsers, and since the application uses Node.js features, this can escalate to OS command execution. All users running vulnerable versions are affected.
💻 Affected Systems
- Chunghwa Telecom TenderDocTransfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on affected systems leading to complete system compromise, data theft, and lateral movement within networks.
Likely Case
Attackers steal session cookies, credentials, or sensitive data through XSS, potentially leading to account takeover and data exfiltration.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and user awareness training reducing phishing success.
🎯 Exploit Status
Exploitation requires user interaction via phishing but leverages well-known XSS and CSRF techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific version
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8299-42168-2.html
Restart Required: Yes
Instructions:
1. Check vendor advisory for patch availability. 2. Download and install the latest version from Chunghwa Telecom. 3. Restart the TenderDocTransfer application and any related services.
🔧 Temporary Workarounds
Disable or restrict TenderDocTransfer
allTemporarily disable the vulnerable application until patching is possible
systemctl stop tenderdoctransfer
taskkill /F /IM TenderDocTransfer.exe
Implement network segmentation
allIsolate systems running TenderDocTransfer from critical networks
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Deploy web application firewall (WAF) with XSS and CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check if TenderDocTransfer is running and review version against vendor advisoryCheck Version:
Check application interface or installation directory for version informationVerify Fix Applied:
Verify installation of patched version and test that XSS payloads no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to TenderDocTransfer endpoints
- JavaScript execution in unexpected contexts
Network Indicators:
- HTTP requests with suspicious JavaScript payloads in parameters
- CSRF attempts to TenderDocTransfer APIs
SIEM Query:
source="*tenderdoctransfer*" AND (url="*<script>*" OR method="POST" AND referer="*")