search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CuteSoft Cute Editor 6.4 reflected cross site scripting

Vulnerability Note VU#247235

Original Release Date: 2012-08-16 | Last Revised: 2013-05-15


CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.


CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:


A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.


Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information

Affected   Unknown   Unaffected


Notified:  July 03, 2012 Updated:  August 16, 2012



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal 2.8 E:POC/RL:U/RC:UC
Environmental 2.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2985
Date Public: 2012-08-16
Date First Published: 2012-08-16
Date Last Updated: 2013-05-15 19:24 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.