jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField
option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField
option is now treated as a CSS selector. A workaround is to not accept the value of the altField
option from untrusted sources.
blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63
github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
lists.debian.org/debian-lts-announce/2022/01/msg00014.html
lists.debian.org/debian-lts-announce/2023/08/msg00040.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
security.netapp.com/advisory/ntap-20211118-0004/
www.drupal.org/sa-contrib-2022-004
www.drupal.org/sa-core-2022-002
www.oracle.com/security-alerts/cpuapr2022.html
www.oracle.com/security-alerts/cpujul2022.html
www.tenable.com/security/tns-2022-09