CVE-2021-41184Cross-site Scripting in Jquery-ui

CWE-79Cross-site Scripting21 documents9 sources
Severity
6.1MEDIUMNVD
CNA6.5
EPSS
25.4%
top 3.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
21
Jquery Jquery-uiDrupalJqueryui Jquery UI+18 more
Timeline
PublishedOct 26
Latest updateApr 15

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages21 packages

CVEListV5jquery/jquery-ui< 1.13.0
npmjquery/jquery-ui< 1.13.0
NVDjqueryui/jquery_ui< 1.13.0
Packagistdrupal/core8.0.09.2.11+1
NVDdrupal/drupal7.07.86+2

Also affects: Fedora 33, 34, 35, 36

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

6
OSV
jqueryui vulnerability2022-09-09
OSV
CVE-2021-41184: jQuery UI is a third-party library used by Drupal2022-01-19
CVEList
XSS in the `of` option of the `.position()` util2021-10-26
OSV
CVE-2021-41184: jQuery-UI is the official jQuery user interface library2021-10-26
GHSA
XSS in the `of` option of the `.position()` util in jquery-ui2021-10-26

📋Vendor Advisories

14
Oracle
Oracle Oracle GoldenGate Risk Matrix: Embedded Web UI for Services (jQueryUI) — CVE-2021-411842025-04-15
Oracle
Oracle Oracle Utilities Applications Risk Matrix: General (jQueryUI) — CVE-2021-411842024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Security (jQueryUI) — CVE-2021-411842024-07-15
Ubuntu
jQuery UI vulnerabilities2023-10-05
Oracle
Oracle Oracle Commerce Risk Matrix: Experience Manager (jQueryUI) — CVE-2021-411842023-07-15
CVE-2021-41184 — Cross-site Scripting in Jquery-ui | cvebase