All the vulnerabilites related to jquery - jquery-ui
cve-2021-41184
Vulnerability from cvelistv5
Published
2021-10-26 00:00
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
XSS in the `of` option of the `.position()` util
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:08:31.291Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-001" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jquery-ui", "vendor": "jquery", "versions": [ { "status": "affected", "version": "\u003c 1.13.0" } ] } ], "descriptions": [ { "lang": "en", "value": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327" }, { "url": "https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "url": "https://www.drupal.org/sa-core-2022-001" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "source": { "advisory": "GHSA-gpqq-952q-5327", "discovery": "UNKNOWN" }, "title": "XSS in the `of` option of the `.position()` util" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41184", "datePublished": "2021-10-26T00:00:00", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.291Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41183
Vulnerability from cvelistv5
Published
2021-10-26 00:00
Modified
2024-08-04 03:08
Severity ?
EPSS score ?
Summary
XSS in `*Text` options of the Datepicker widget
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:08:31.304Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/pull/1953" }, { "tags": [ "x_transferred" ], "url": "https://bugs.jqueryui.com/ticket/15284" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "name": "[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-002" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-contrib-2022-004" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-001" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jquery-ui", "vendor": "jquery", "versions": [ { "status": "affected", "version": "\u003c 1.13.0" } ] } ], "descriptions": [ { "lang": "en", "value": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4" }, { "url": "https://github.com/jquery/jquery-ui/pull/1953" }, { "url": "https://bugs.jqueryui.com/ticket/15284" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "name": "[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html" }, { "url": "https://www.drupal.org/sa-core-2022-002" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "url": "https://www.drupal.org/sa-contrib-2022-004" }, { "url": "https://www.drupal.org/sa-core-2022-001" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "source": { "advisory": "GHSA-j7qv-pgf6-hvh4", "discovery": "UNKNOWN" }, "title": "XSS in `*Text` options of the Datepicker widget" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41183", "datePublished": "2021-10-26T00:00:00", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.304Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41182
Vulnerability from cvelistv5
Published
2021-10-26 00:00
Modified
2024-08-04 02:59
Severity ?
EPSS score ?
Summary
XSS in the `altField` option of the Datepicker widget
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T02:59:31.655Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63" }, { "tags": [ "x_transferred" ], "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "name": "[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-core-2022-002" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-contrib-2022-004" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jquery-ui", "vendor": "jquery", "versions": [ { "status": "affected", "version": "\u003c 1.13.0" } ] } ], "descriptions": [ { "lang": "en", "value": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-11-03T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc" }, { "url": "https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63" }, { "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/" }, { "name": "FEDORA-2021-51c256bf87", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/" }, { "name": "FEDORA-2021-ab38307fc3", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/" }, { "name": "FEDORA-2021-013ab302be", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/" }, { "name": "[debian-lts-announce] 20220119 [SECURITY] [DLA-2889-1] drupal7 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html" }, { "url": "https://www.drupal.org/sa-core-2022-002" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://security.netapp.com/advisory/ntap-20211118-0004/" }, { "url": "https://www.drupal.org/sa-contrib-2022-004" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "url": "https://www.tenable.com/security/tns-2022-09" }, { "name": "FEDORA-2022-9d655503ea", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/" }, { "name": "FEDORA-2022-bf18450366", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/" }, { "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" } ], "source": { "advisory": "GHSA-9gj3-hwp5-pmwc", "discovery": "UNKNOWN" }, "title": "XSS in the `altField` option of the Datepicker widget" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41182", "datePublished": "2021-10-26T00:00:00", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.655Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-31160
Vulnerability from cvelistv5
Published
2022-07-20 00:00
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:11:39.646Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9" }, { "tags": [ "x_transferred" ], "url": "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9" }, { "tags": [ "x_transferred" ], "url": "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/" }, { "tags": [ "x_transferred" ], "url": "https://www.drupal.org/sa-contrib-2022-052" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220909-0007/" }, { "name": "FEDORA-2022-22d8ba36d0", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/" }, { "name": "FEDORA-2022-1a01ed37e2", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/" }, { "name": "FEDORA-2022-7291b78111", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/" }, { "name": "[debian-lts-announce] 20221207 [SECURITY] [DLA 3230-1] jqueryui security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "jquery-ui", "vendor": "jquery", "versions": [ { "status": "affected", "version": "\u003c 1.13.2" } ] } ], "descriptions": [ { "lang": "en", "value": "jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( \"refresh\" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-07T00:00:00", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9" }, { "url": "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9" }, { "url": "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/" }, { "url": "https://www.drupal.org/sa-contrib-2022-052" }, { "url": "https://security.netapp.com/advisory/ntap-20220909-0007/" }, { "name": "FEDORA-2022-22d8ba36d0", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/" }, { "name": "FEDORA-2022-1a01ed37e2", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/" }, { "name": "FEDORA-2022-7291b78111", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/" }, { "name": "[debian-lts-announce] 20221207 [SECURITY] [DLA 3230-1] jqueryui security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html" } ], "source": { "advisory": "GHSA-h6gj-6jjq-h8g9", "discovery": "UNKNOWN" }, "title": "jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31160", "datePublished": "2022-07-20T00:00:00", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:39.646Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }