Platform
nodejs
Component
tenderdoctransfer
Fixed in
0.41.157
CVE-2024-12641 describes a Reflected Cross-Site Scripting (XSS) vulnerability present in TenderDocTransfer, a component developed by Chunghwa Telecom. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript code within a user's browser through carefully crafted phishing attacks. The vulnerability affects versions 0.41.151 through 0.41.156, and a fix is available in version 0.41.157.
The impact of this XSS vulnerability is significant. Attackers can leverage it to steal user session cookies, redirect users to malicious websites, or deface the application. Given the application's use of Node.js features, attackers could potentially escalate the attack to execute operating system commands, significantly expanding the blast radius. The lack of CSRF protection exacerbates the risk, making phishing attacks more effective. Successful exploitation could lead to complete compromise of user accounts and sensitive data.
CVE-2024-12641 was publicly disclosed on December 16, 2024. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability's CRITICAL CVSS score suggests a high probability of exploitation. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
31.44% (97% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12641 is to immediately upgrade TenderDocTransfer to version 0.41.157 or later. If upgrading is not immediately feasible, implement strict input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed. Monitor application logs for suspicious activity, particularly requests containing unusual characters or patterns that might indicate an attempted XSS attack.
Update TenderDocTransfer to a patched version that implements CSRF protection for the APIs. As a temporary measure, avoid opening suspicious links or documents that could exploit the reflected XSS vulnerability. Contact the vendor (Chunghwa Telecom) for the updated version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12641 is a critical Reflected Cross-Site Scripting (XSS) vulnerability in Chunghwa Telecom's TenderDocTransfer, allowing attackers to execute JavaScript code in a user's browser.
You are affected if you are using TenderDocTransfer versions 0.41.151 through 0.41.156. Upgrade to 0.41.157 to mitigate the risk.
Upgrade TenderDocTransfer to version 0.41.157 or later. Implement input validation and output encoding as an interim measure.
While no active exploitation has been confirmed, the vulnerability's critical severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the Chunghwa Telecom security advisory for detailed information and updates regarding CVE-2024-12641.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.