Multiple vulnerabilities in jQuery UI



Published: 2021-11-20 | Updated: 2022-05-31
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2021-41182
CVE-2021-41184
CVE-2021-41183
CWE-ID CWE-79
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
jQuery UI
Web applications / JS libraries

Vendor The jQuery Team

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU58272

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41182

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of values passed as the `altField` option of the Datepicker widget. A remote attacker can inject and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jQuery UI: 1.5.1 - 1.12.1


CPE2.3 External links

http://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
http://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63
http://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
http://security.netapp.com/advisory/ntap-20211118-0004/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU58271

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41184

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of values passed to the `of` option. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jQuery UI: 1.5.1 - 1.12.1


CPE2.3 External links

http://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
http://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
http://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
http://security.netapp.com/advisory/ntap-20211118-0004/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Cross-site scripting

EUVDB-ID: #VU58270

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-41183

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing values of various `*Text` options. A remote attacker can pass specially crafted input to the library and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

jQuery UI: 1.5.1 - 1.12.1


CPE2.3 External links

http://bugs.jqueryui.com/ticket/15284
http://github.com/jquery/jquery-ui/pull/1953
http://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
http://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
http://security.netapp.com/advisory/ntap-20211118-0004/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###