Lucene search

K

GitHub_MCVELIST:CVE-2021-41182

HistoryOct 26, 2021 - 12:00 a.m.

CVE-2021-41182 XSS in the `altField` option of the Datepicker widget

2021-10-2600:00:00

CWE-79

GitHub_M

www.cve.org

7

cve-2021-41182

xss

datepicker

altfield

jquery-ui

untrusted sources

jquery

user interface

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.003

Percentile

71.3%

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

CNA Affected

[
  {
    "vendor": "jquery",
    "product": "jquery-ui",
    "versions": [
      {
        "version": "< 1.13.0",
        "status": "affected"
      }
    ]
  }
]

References

blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63

github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc

lists.debian.org/debian-lts-announce/2022/01/msg00014.html

lists.debian.org/debian-lts-announce/2023/08/msg00040.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/

security.netapp.com/advisory/ntap-20211118-0004/

www.drupal.org/sa-contrib-2022-004

www.drupal.org/sa-core-2022-002

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.tenable.com/security/tns-2022-09

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.003

Percentile

71.3%

Related for CVELIST:CVE-2021-41182

alpinelinux1 debiancve1 github1 osv7 redhatcve1 rubygems1 ubuntucve1 prion1 veracode1 cve1 nvd1 checkpoint_advisories1 drupal2 ibm24 openvas15 fedora6 f51 nessus14 debian3 hp1 ubuntu1 redhat1 adobe1 oracle9