search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

CuteSoft Cute Editor 6.4 reflected cross site scripting

Vulnerability Note VU#247235

Original Release Date: 2012-08-16 | Last Revised: 2013-05-15

Overview

CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:
_UploadID=InputFileImage_1340289404744_15ff6c','unabletofind');alert(1)//167adfd47572ff250

Impact

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.

Solution

Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information

247235
 
Expand all

CuteSoft Affected

Notified:  July 03, 2012 Updated: August 16, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal 2.8 E:POC/RL:U/RC:UC
Environmental 2.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2985
Date Public: 2012-08-16
Date First Published: 2012-08-16
Date Last Updated: 2013-05-15 19:24 UTC
Document Revision: 18

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis