CVE-2021-41184 Information

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0 accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ https://security.netapp.com/advisory/ntap-20211118-0004/ https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ https://www.drupal.org/sa-core-2022-001 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.tenable.com/security/tns-2022-09

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1