search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CuteSoft Cute Editor 6.4 reflected cross site scripting

Vulnerability Note VU#247235

Original Release Date: 2012-08-16 | Last Revised: 2013-05-15


CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.


CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:


A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.


Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information


CuteSoft Affected

Notified:  July 03, 2012 Updated: August 16, 2012



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal 2.8 E:POC/RL:U/RC:UC
Environmental 2.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2985
Date Public: 2012-08-16
Date First Published: 2012-08-16
Date Last Updated: 2013-05-15 19:24 UTC
Document Revision: 18

Sponsored by CISA.