CVE-2025-13282 HIGH

CVE-2025-13282: Chunghwa Telecom|TenderDocTransfer - Arbitrary File Delete

Vendor Chunghwa Telecom
Product TenderDocTransfer
Weakness CWE-352 · CSRF
Published November 17, 2025
Last update November 17, 2025
View on NVD All CVEs

CVSS base score

7.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Key dates

02Disclosure timeline

November 17, 2025 CVE published
November 17, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-47174 WordPress Performance Lab Plugin <= 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2025-9894 Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger CVE-2024-22424 Cross-Site Request Forgery (CSRF) in github.com/argoproj/argo-cd CVE-2023-27431 WordPress Big Store Theme <= 1.9.3 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-25930 WordPress Custom Order Statuses for WooCommerce Plugin <= 1.5.2 is vulnerable to Cross Site Request Forgery (CSRF)