CuteSoft Cute Editor 6.4 reflected cross site scripting

ID VU:247235
Type cert
Reporter CERT
Modified 2013-05-15T00:00:00



CuteSoft Cute Editor 6.4, and possibly other verions, contains a reflected cross-site scripting (XSS) (CWE-79) vulnerability.


CuteSoft Cute Editor 6.4 has been reported to contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability. The GET request parameter called _UploadID in InsertDocument.aspx is vulnerable to XSS.

Proof of Concept:


A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.


Apply an Update

Cute Editor 6.6 addresses this vulnerability.

Vendor Information

Vendor| Status| Date Notified| Date Updated
CuteSoft| | 03 Jul 2012| 16 Aug 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | 3.5 | AV:N/AC:M/Au:S/C:N/I:P/A:N
Temporal | 2.8 | E:POC/RL:U/RC:UC
Environmental | 2.8 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND


  • <>
  • <>


Thanks to the reporter who wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2985
  • Date Public: 16 Aug 2012
  • Date First Published: 16 Aug 2012
  • Date Last Updated: 15 May 2013
  • Document Revision: 17