Reflected Cross-Site Scripiting in CuteEditor

Subject: Reflected Cross-Site Scripiting in CuteEditor

# Exploit Title: Reflected Cross-Site Scripiting in CuteEditor
# Google Dork: inurl:/CuteSoft_Client/CuteEditor/ Template.aspx
# Date: 2016/03/14
# CVSS Score: 5.8
# CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:N)
# Author: Adriano Marcio Monteiro
# E-mail:
# Blog:
# Vendor:
# Software:
# Version: multiples
# Test Type:     Gray Box
# Tested on:     Windows 8 Pro x64, Firefox 44 / IE 11 / Chrome 45

*** Preamble ***
Cute Editor for ASP.NET is vulnerable to reflected cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials for example.

*** PoC ***
Cross-site scripting (XSS) vulnerability in "Template.aspx" in CuteSoft Cute Editor allows remote unauthenticated users to inject arbitrary web script or HTML via the "Referrer" parameter.



Copyright © 1995-2018 All rights reserved.