CVE-2024-12646

HIGH Year: 2024
CVSS v3 Score
8.1
High
Weakness Type
CWE-36
View all →

Vulnerability Description

The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.

Related Vulnerabilities

CVE-2024-12643

HIGH
CVSS:8.1(High)

The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to t...

CWE-362024

CVE-2018-20250

HIGH
CVSS:7.8(High)

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with s...

CWE-362018

CVE-2024-33620

HIGH
CVSS:8.6(High)

Absolute path traversal vulnerability exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, the file contents including sensitive information on the server m...

CWE-362024

CVE-2024-48248

HIGH
CVSS:8.6(High)

NAKIVO Backup & Replication before 11.0.0.88174 allows absolute path traversal for reading files via getImageByPath to /c/router (this may lead to remote code execution across the enterprise because P...

CWE-362024

CVE-2021-1296

HIGH
CVSS:7.5(High)

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct d...

CWE-362021

CVE-2021-1297

HIGH
CVSS:7.5(High)

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers could allow an unauthenticated, remote attacker to conduct d...

CWE-362021