Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05Z2ozLWh3cDUtcG13Y80WtQ

Moderate EPSS: 0.22267% (0.95538 Percentile) EPSS:
Permalink JSON

XSS in the `altField` option of the Datepicker widget in jquery-ui

Affected Packages Affected Versions Fixed Versions
rubygems:jquery-ui-rails < 7.0.0 7.0.0
311 Dependent packages
43,038 Dependent repositories
81,396,206 Downloads total

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 3.0.0, 3.0.1, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 6.0.0, 6.0.1

All unaffected versions

7.0.0, 8.0.0
maven:org.webjars.npm:jquery-ui < 1.13.0 1.13.0
20 Dependent packages
1 Dependent repositories

Affected Version Ranges

All affected versions

1.10.4, 1.10.5, 1.12.0, 1.12.1

All unaffected versions

1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.0, 1.14.1
nuget:jQuery.UI.Combined < 1.13.0 1.13.0
27 Dependent packages
0 Dependent repositories
53,461,818 Downloads total

Affected Version Ranges

All affected versions

1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.8.21, 1.8.22, 1.8.23, 1.8.24, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1

All unaffected versions

1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.1
npm:jquery-ui < 1.13.0 1.13.0
788 Dependent packages
21,377 Dependent repositories
2,391,358 Downloads last month

Affected Version Ranges

All affected versions

1.10.4, 1.10.5, 1.12.0, 1.12.1

All unaffected versions

1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.14.0, 1.14.1

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

References:

Identifiers

GHSA-9gj3-hwp5-pmwc

CVE-2021-41182

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.22267

EPSS Percentile: 0.95538

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jquery/jquery-ui

Date and time

Published

almost 4 years ago

Updated

almost 2 years ago

API

JSON