CVE-2024-12643
Dec. 16, 2024, 7:15 a.m.
Tags
CVSS Score
Product(s) Impacted
tbm-client from Chunghwa Telecom
Description
The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
Weaknesses
CWE-36
Absolute Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
CWE ID: 36Date
Published: Dec. 16, 2024, 7:15 a.m.
Last Modified: Dec. 16, 2024, 7:15 a.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
twcert@cert.org.tw
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
Exploitability Score
Impact Score
Base Severity
HIGHCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H