Plattform
nodejs
Komponente
tenderdoctransfer
Behoben in
0.41.157
CVE-2024-12641 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in TenderDocTransfer, a component developed by Chunghwa Telecom. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code within a user's browser through carefully crafted phishing attacks. The vulnerability affects versions 0.41.151 through 0.41.156, and a fix is available in version 0.41.157.
The impact of this XSS vulnerability is significant due to the potential for OS command execution. An attacker could craft a phishing link containing malicious JavaScript that, when clicked by a user, would execute the code in their browser. Given that TenderDocTransfer uses Node.js, this malicious script could be leveraged to execute arbitrary commands on the server hosting the application. This could lead to complete system compromise, data exfiltration, and further malicious activity. The lack of CSRF protection exacerbates the risk, as attackers can easily trigger these API calls without user interaction beyond clicking a link.
CVE-2024-12641 was publicly disclosed on December 16, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and the potential for OS command execution make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. The presence of Node.js functionality significantly increases the potential impact, making it attractive to attackers seeking to gain deeper access to the underlying system.
Organizations and individuals utilizing TenderDocTransfer in their workflows are at risk, particularly those relying on the application for sensitive data transfer. Shared hosting environments where multiple users share the same server instance are especially vulnerable, as a successful attack could potentially impact other users on the same server.
• nodejs / server:
grep -r 'TenderDocTransfer' /var/log/nodejs/• generic web:
curl -I <target_url> | grep -i 'X-XSS-Protection'• generic web:
curl -I <target_url> | grep -i 'Content-Security-Policy'disclosure
Exploit-Status
EPSS
31.44% (97% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12641 is to immediately upgrade TenderDocTransfer to version 0.41.157 or later. If upgrading is not immediately feasible, implement strict input validation and output encoding on all API endpoints to prevent the injection of malicious scripts. Consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Monitor API request logs for suspicious patterns, such as unusual characters or URLs.
Aktualisieren Sie TenderDocTransfer auf eine korrigierte Version, die CSRF-Schutz für die APIs implementiert. Als vorübergehende Maßnahme sollten Sie das Öffnen verdächtiger Links oder Dokumente vermeiden, die die reflektierte XSS-Schwachstelle ausnutzen könnten. Wenden Sie sich an den Anbieter (Chunghwa Telecom), um die aktualisierte Version zu erhalten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12641 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in Chunghwa Telecom's TenderDocTransfer, allowing attackers to execute JavaScript code in a user's browser.
You are affected if you are using TenderDocTransfer versions 0.41.151 through 0.41.156. Upgrade to 0.41.157 to mitigate the risk.
Upgrade TenderDocTransfer to version 0.41.157 or later. Implement input validation and output encoding as an interim measure.
While no active exploitation has been confirmed, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the Chunghwa Telecom security advisory for detailed information and updates regarding CVE-2024-12641.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.