Vulnerability Note VU#247235

CuteSoft Cute Editor 6.4 reflected cross site scripting

Original Release date: 16 Aug 2012 | Last revised: 15 May 2013

Overview

CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:
_UploadID=InputFileImage_1340289404744_15ff6c','unabletofind');alert(1)//167adfd47572ff250

Impact

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.

Solution

Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CuteSoftAffected03 Jul 201216 Aug 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal 2.8 E:POC/RL:U/RC:UC
Environmental 2.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2985
  • Date Public: 16 Aug 2012
  • Date First Published: 16 Aug 2012
  • Date Last Updated: 15 May 2013
  • Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.