Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Chunghwa Telecom

Source -

CNA

BOS Name -

N/A

CNA CVEs -

12

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
12Vulnerabilities found
CVE-2024-12646
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.1||HIGH
EPSS-0.55% / 66.86%
||
7 Day CHG-0.01%
Published-16 Dec, 2024 | 06:54
Updated-16 Dec, 2024 | 16:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom topm-client - Arbitrary File Delete

The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Action-Not Available
Vendor-Chunghwa Telecom
Product-topm-client
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-36
Absolute Path Traversal
CVE-2024-12645
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 20.05%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 06:49
Updated-16 Dec, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom topm-client - Arbitrary File Read

The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system.

Action-Not Available
Vendor-Chunghwa Telecom
Product-topm-client
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12644
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.14% / 33.92%
||
7 Day CHG+0.01%
Published-16 Dec, 2024 | 06:45
Updated-16 Dec, 2024 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom tbm-client - Arbitrary File Copy and Paste

The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes.

Action-Not Available
Vendor-Chunghwa Telecom
Product-tbm-client
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-36
Absolute Path Traversal
CVE-2024-12643
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.1||HIGH
EPSS-0.55% / 66.86%
||
7 Day CHG-0.01%
Published-16 Dec, 2024 | 06:37
Updated-16 Dec, 2024 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom tbm-client - Arbitrary File Delete

The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Action-Not Available
Vendor-Chunghwa Telecom
Product-tbm-client
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-36
Absolute Path Traversal
CVE-2024-12642
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.1||HIGH
EPSS-0.14% / 35.03%
||
7 Day CHG-0.00%
Published-16 Dec, 2024 | 06:30
Updated-16 Dec, 2024 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom TenderDocTransfer - Arbitrary File Write

TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to write arbitrary files to any path on the user's system.

Action-Not Available
Vendor-Chunghwa Telecom
Product-TenderDocTransfer
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2024-12641
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.6||CRITICAL
EPSS-22.21% / 95.58%
||
7 Day CHG~0.00%
Published-16 Dec, 2024 | 06:14
Updated-16 Dec, 2024 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom TenderDocTransfer - Reflected Cross-site Scripting to RCE

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.

Action-Not Available
Vendor-Chunghwa Telecom
Product-TenderDocTransfer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-41355
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.58% / 67.85%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:55
Updated-14 Oct, 2024 | 04:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Improper Input Validation

Chunghwa Telecom NOKIA G-040W-Q Firewall function has a vulnerability of input validation for ICMP redirect messages. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted package to modify the network routing table, resulting in a denial of service or sensitive information leaking.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-940
Improper Verification of Source of a Communication Channel
CWE ID-CWE-20
Improper Input Validation
CVE-2023-41354
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-4||MEDIUM
EPSS-0.06% / 18.53%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:52
Updated-03 Oct, 2024 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Exposure of Sensitive Information

Chunghwa Telecom NOKIA G-040W-Q Firewall function does not block ICMP TIMESTAMP requests by default, an unauthenticated remote attacker can exploit this vulnerability by sending a crafted package, resulting in partially sensitive information exposed to an actor.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Q
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-41353
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.27% / 50.10%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:48
Updated-06 Sep, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Weak Password Requirements

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of weak password requirements. A remote attacker with regular user privilege can easily infer the administrator password from system information after logging system, resulting in admin access and performing arbitrary system operations or disrupt service.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-521
Weak Password Requirements
CVE-2023-41352
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.2||HIGH
EPSS-0.18% / 39.75%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:44
Updated-06 Sep, 2024 | 19:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Command Injection

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege can exploit this vulnerability to perform a Command Injection attack to execute arbitrary commands, disrupt the system or terminate services.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-41351
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.09% / 25.65%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 05:41
Updated-04 Sep, 2024 | 20:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Broken Access Control

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of authentication bypass, which allows an unauthenticated remote attacker to bypass the authentication mechanism to log in to the device by an alternative URL. This makes it possible for unauthenticated remote attackers to log in as any existing users, such as an administrator, to perform arbitrary system operations or disrupt service.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2023-41350
Assigner-TWCERT/CC
ShareView Details
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.53%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 04:44
Updated-06 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Excessive Authentication Attempts

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts