How to fix CVE-2025-13283?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Tenderdoctransfer affected by CVE-2025-13283?

Organizations using TenderDocTransfer developed by Chunghwa Telecom face moderate risk from CVE-2025-13283 rated CVSS 7.0. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and consider compensating controls in the interim.

CVE-2025-13283

HIGH

2025-11-17 [email protected]

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:22 vuln.today

CVE Published

Nov 17, 2025 - 04:15 nvd

HIGH 7.0

Description

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes.

Analysis

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical Context

This vulnerability is classified under CWE-36. TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes. Affected products include: Cht Tenderdoctransfer.

Affected Products

Cht Tenderdoctransfer.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +35

POC: 0

CVE-2025-13283 vulnerability details – vuln.today

Back

CVE-2025-13283

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-13283

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code