CuteSoft Cute Editor 6.4 reflected cross site scripting

2012-08-16T00:00:00
ID VU:247235
Type cert
Reporter CERT
Modified 2013-05-15T00:00:00

Description

Overview

CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.

Description

CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:
_UploadID=InputFileImage_1340289404744_15ff6c','unabletofind');alert(1)//167adfd47572ff250


Impact

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.


Solution

Apply an Update

Cute Editor 6.6 addresses this vulnerability.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
CuteSoft| | 03 Jul 2012| 16 Aug 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 3.5 | AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal | 2.8 | E:POC/RL:U/RC:UC
Environmental | 2.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • <http://cwe.mitre.org/data/definitions/79.html>
  • <http://cutesoft.net/ASP.NET+WYSIWYG+Editor/>

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2985
  • Date Public: 16 Aug 2012
  • Date First Published: 16 Aug 2012
  • Date Last Updated: 15 May 2013
  • Document Revision: 17