CVE-2004-1712
Description
Cross-site scripting (XSS) vulnerability in TypePad allows remote attackers to inject arbitrary Javascript via the name parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Insufficient filtering of the `name` parameter allows a double-quote preceded by `?` to close an `<a href="` tag and inject arbitrary JavaScript event handlers."
Attack vector
An attacker supplies a crafted URL to the `name` parameter that includes a double-quote character preceded by a `?`. Because the filtering script does not sanitize this sequence, the injected quote closes the `<a href="` tag, allowing the attacker to inject event-handler attributes such as `onmouseover` that execute arbitrary JavaScript when a victim interacts with the link [ref_id=1]. The attack is delivered over HTTP and requires no authentication beyond visiting the maliciously crafted page.
What the fix does
The advisory recommends replacing all special characters with their `&#xx;` HTML-entity equivalents to prevent tag injection [ref_id=1]. No official patch is shown in the bundle; the vendor would need to apply output encoding to the `name` parameter so that user-supplied input cannot break out of the HTML attribute context.
Preconditions
- inputThe attacker must be able to supply a URL to the TypePad name parameter that includes a double-quote preceded by a question mark.
- networkThe victim must visit the crafted URL (e.g., by clicking a link) and interact with the injected event handler.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.