CVE-2021-41182Cross-site Scripting in Jquery-ui

CWE-79Cross-site Scripting15 documents10 sources
Severity
6.1MEDIUMNVD
CNA6.5
EPSS
24.1%
top 3.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
22
Jquery Jquery-uiDrupalJqueryui Jquery UI+19 more
Timeline
PublishedOct 26
Latest updateJan 15

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages21 packages

CVEListV5jquery/jquery-ui< 1.13.0
npmjquery/jquery-ui< 1.13.0
NVDjqueryui/jquery_ui< 1.13.0
NVDdrupal/drupal7.07.86
NVDtenable/tenable.sc< 5.21.0

Also affects: Debian Linux 9.0, Fedora 33, 34, 35, 36

Patches

Patch: github.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
jqueryui vulnerabilities2023-10-05
CVEList
XSS in the `altField` option of the Datepicker widget2021-10-26
OSV
XSS in the `altField` option of the Datepicker widget in jquery-ui2021-10-26
GHSA
XSS in the `altField` option of the Datepicker widget in jquery-ui2021-10-26
OSV
CVE-2021-41182: jQuery-UI is the official jQuery user interface library2021-10-26

📋Vendor Advisories

9
Oracle
Oracle Oracle Retail Applications Risk Matrix: Internal Operations (jQuery) — CVE-2021-411822024-01-15
Ubuntu
jQuery UI vulnerabilities2023-10-05
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Open UI (jQueryUI) — CVE-2021-411822022-10-15
Oracle
Oracle Oracle PeopleSoft Risk Matrix: XML Publisher (jQueryUI) — CVE-2021-411822022-07-15
Drupal
jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-0042022-01-19
CVE-2021-41182 — Cross-site Scripting in Jquery-ui | cvebase