CVE-2021-41183

CWE-79Cross-site Scripting (XSS)13 documents9 sources
Severity
6.1MEDIUM
EPSS
2.9%
top 13.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
21
Jquery Jquery-uiDrupal DrupalJqueryui Jquery UI+18 more
Timeline
PublishedOct 26
Latest updateOct 5

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages24 packages

npmjquery-ui< 1.13.0
RubyGemsjquery-ui-rails< 7.0.0
CVEListV5jquery/jquery-ui< 1.13.0
NVDjqueryui/jquery_ui< 1.13.0
NuGetjQuery.UI.Combined< 1.13.0

Also affects: Debian Linux 9.0, Fedora 33, 34, 35, 36

Patches

Patch: github.comPatch: www.oracle.comPatch: www.tenable.com

🔴Vulnerability Details

5
OSV
jqueryui vulnerabilities2023-10-05
GHSA
XSS in `*Text` options of the Datepicker widget in jquery-ui2021-10-26
CVEList
XSS in `*Text` options of the Datepicker widget2021-10-26
OSV
CVE-2021-41183: jQuery-UI is the official jQuery user interface library2021-10-26
OSV
XSS in `*Text` options of the Datepicker widget in jquery-ui2021-10-26

📋Vendor Advisories

7
Ubuntu
jQuery UI vulnerabilities2023-10-05
Oracle
Oracle Oracle Analytics Risk Matrix: Service Administration UI, BI Platform Security (jQueryUI) — CVE-2021-411832023-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Vision (jQueryUI) — CVE-2021-411832023-04-15
Drupal
jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-0042022-01-19
Drupal
Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-0022022-01-19