CVE-2021-41183 – jquery.ui.combined

Package

Manager: nuget
Name: jquery.ui.combined
Vulnerable Version: >=0 <1.13.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02361 pctl0.84339

Details

XSS in `*Text` options of the Datepicker widget in jquery-ui ### Impact Accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: ```js $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); ``` will call `doEvilThing` with 6 different parameters coming from all `*Text` options. ### Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. ### Workarounds A workaround is to not accept the value of the `*Text` options from untrusted sources. ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.

Metadata

Created: 2021-10-26T14:55:21Z
Modified: 2021-10-27T17:00:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-j7qv-pgf6-hvh4/GHSA-j7qv-pgf6-hvh4.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-j7qv-pgf6-hvh4
Finding: F008
Auto approve: 1