CVE-2024-46494 – This cross-site scripting vulnerability in Type... (How to Fix)

📋 TL;DR

This cross-site scripting vulnerability in Typecho v1.2.1 allows attackers to inject malicious scripts into the Name parameter when posting comments. When other users view the comment, the script executes in their browser context. This affects all Typecho v1.2.1 installations with comment functionality enabled.

💻 Affected Systems

Products:

Typecho

Versions: v1.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with comment functionality enabled. The vulnerability is in the comment form's Name field processing.

📦 What is this software?

Typecho by Typecho

View all CVEs affecting Typecho →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the website.

🟠

Likely Case

Session hijacking, credential theft, or defacement of comment sections through stored XSS payloads.

🟢

If Mitigated

Limited impact if proper content security policies and input validation are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in the referenced GitHub repository. Exploitation requires no authentication and uses simple script injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check Typecho GitHub for security updates
2. Apply any available patches
3. Consider upgrading to a newer version if available
4. Review and sanitize all user inputs

🔧 Temporary Workarounds

Input Sanitization

all

Add server-side validation to sanitize HTML/script tags in the Name parameter

Modify Typecho source code to escape HTML entities in comment name fields

Content Security Policy

all

Implement CSP headers to restrict script execution

Add 'Content-Security-Policy' header with script-src directives

🧯 If You Can't Patch

Disable comment functionality entirely
Implement web application firewall rules to block XSS payloads in Name parameter

🔍 How to Verify

Check if Vulnerable:

Test by submitting a comment with a script payload like <script>alert('XSS')</script> in the Name field and check if it executes when viewing.

Check Version:

Check Typecho version in admin panel or look for version.php file

Verify Fix Applied:

After applying fixes, test with the same payload to confirm it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in comment submissions
Multiple failed comment attempts with script payloads

Network Indicators:

HTTP requests with script tags in POST data to comment endpoints

SIEM Query:

source="web_logs" AND (uri_path="/action/comment" OR uri_path LIKE "%/comment%") AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")

📊 Metadata

CVE ID: CVE-2024-46494

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.14% exploit probability (34.1th percentile)

Published: April 7, 2025

Last Updated: April 23, 2025

🔗 References

https://h40vv3n.github.io/2024/09/05/typecho-xss/ Exploit
https://h40vv3n.github.io/2024/09/05/typecho-xss/ Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46494, you might also want to check these: