CVE-2022-31160

2022-07-2020:15:08

Debian Security Bug Tracker

security-tracker.debian.org

jquery ui

cross-site scripting

vulnerability

html entities

remediation

javascript

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

60.7%

JSON

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

OSVersionArchitecturePackageVersionFilename
Debian12alljqueryui< 1.13.2+dfsg-1jqueryui_1.13.2+dfsg-1_all.deb
Debian11alljqueryui< 1.12.1+dfsg-8+deb11u2jqueryui_1.12.1+dfsg-8+deb11u2_all.deb
Debian999alljqueryui< 1.13.2+dfsg-1jqueryui_1.13.2+dfsg-1_all.deb
Debian13alljqueryui< 1.13.2+dfsg-1jqueryui_1.13.2+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	jqueryui	< 1.13.2+dfsg-1	jqueryui_1.13.2+dfsg-1_all.deb
Debian	11	all	jqueryui	< 1.12.1+dfsg-8+deb11u2	jqueryui_1.12.1+dfsg-8+deb11u2_all.deb
Debian	999	all	jqueryui	< 1.13.2+dfsg-1	jqueryui_1.13.2+dfsg-1_all.deb
Debian	13	all	jqueryui	< 1.13.2+dfsg-1	jqueryui_1.13.2+dfsg-1_all.deb