search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CuteSoft Cute Editor 6.4 reflected cross site scripting

Vulnerability Note VU#247235

Original Release Date: 2012-08-16 | Last Revised: 2013-05-15

Overview

CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:
_UploadID=InputFileImage_1340289404744_15ff6c','unabletofind');alert(1)//167adfd47572ff250

Impact

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.

Solution

Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information

247235
 
Affected   Unknown   Unaffected

CuteSoft

Notified:  July 03, 2012 Updated:  August 16, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal 2.8 E:POC/RL:U/RC:UC
Environmental 2.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-2985
Date Public: 2012-08-16
Date First Published: 2012-08-16
Date Last Updated: 2013-05-15 19:24 UTC
Document Revision: 17

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.