Reflected cross-site scripting (XSS) In drupal/drupal
Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | >=7.0 <7.86 | 8.0.0 | |
 debian 12 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
debian 14 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
debian 11 | =2.0.4p01-10 || =2.0.4p01-11 || =2.0.4p01-12 || =2.0.4p01-13 || =2.0.4p01-14 || =2.0.4p01-14.1 || =2.0.4p01-15 || =2.0.4p01-16 || =2.0.4p01-17 || =2.0.4p01-18 || =2.0.4p01-6 || =2.0.4p01-7 || =2.0.4p01-8 || =2.0.4p01-9 || =2.0.99beta1-1 || =2.0.99beta1-2 || =2.1.1-1 || =2.1.3-1 || =2.1.4-1 || =2.1.4-2 || =2.1.5-1 || =2.1.5-2 || =2.1.5-3 || =2.1.6-1 || =2.1.7-1 || =2.1.7-2 || =2.2.0~beta2-1 || =2.2.0~beta3-1 || =2.2.1-1 || =2.2.2-1 || =2.2.3-1 || =2.2.4-1 || =2.2.5-1 || =2.2.5-2 || =2.2.6-1 || =2.2.7-1 || =2.2.7-2 || =2.2.7-2lenny1 || =2.2.7-2lenny2 || =2.2.7-2lenny3 || =2.2.7-3 || =2.3.2-1 || =2.3.2-2 || =2.3.3-1 || =2.3.4-1 || =2.3.4-2 || =2.3.4-3 || =2.3.4-4 || =2.3.4-5 || =2.3.4-6 || =2.3.4-7 || =2.4.10+dfsg1-1 || =2.4.10+dfsg1-2 || =2.4.10+dfsg1-3 || =2.4.5-1 || =2.4.5-2 || =2.4.5-3 || =2.4.5-4 || =2.4.5-5 || =2.4.6-1 || =2.4.6-2 || =2.4.7+dfsg1-1 || =2.4.7-1 || =2.4.7-2 || =2.4.7-3 || =2.4.7-4 || =2.4.7-5 || =2.4.7-6 || =2.4.8+dfsg1-1 || =2.4.9+dfsg1-1 || =2.4.9+dfsg1-2 || =2.4.9+dfsg1-3 || =2.4.9+dfsg1-3+squeeze1 || =2.4.9+dfsg1-3+squeeze3 || =2.4.9+dfsg1-3+squeeze4 || =2.4.9+dfsg1-3+squeeze5 || =2.4.9+dfsg1-4 || =2.4.9+dfsg1-5 || =3.0.10+dfsg1-1 || =3.0.10+dfsg1-2 || =3.0.11+dfsg1-1 || =3.0.8+dfsg1-1 || =3.0.9+dfsg1-1 || =3.1.0~beta4+dfsg1-1 || =3.1.0~beta5+dfsg1-1 || =3.1.0~rc1+dfsg1-1 || =3.1.1+dfsg1-1 || =3.1.1+dfsg1-2 || =3.1.10+dfsg1-1 || =3.1.11+dfsg1-1 || =3.1.12+dfsg1-1 || =3.1.12+dfsg1-2 || =3.1.12+dfsg1-3 || =3.1.2+dfsg1-1 || =3.1.2+dfsg1-2 || =3.1.2+dfsg1-3 || =3.1.3+dfsg1-1 || =3.1.3+dfsg1-2 || =3.1.4+dfsg1-1 || =3.1.5+dfsg1-1 || =3.1.5+dfsg1-2 || =3.1.5+dfsg1-3 || =3.1.6+dfsg1-1 || =3.1.7+dfsg1-1 || =3.1.7+dfsg1-2 || =3.1.7+dfsg1-3 || =3.1.7+dfsg1-4 || =3.1.7+dfsg1-5 || =3.1.7+dfsg1-6 || =3.1.7+dfsg1-7 || =3.1.7+dfsg1-8 || =3.1.8+dfsg1-1 || =3.1.9+dfsg1-1 || =3.2.1+dfsg1-1 || =3.2.10-1 || =3.2.10-2 || =3.2.11-1 || =3.2.11-1~bpo70+1 || =3.2.12-1 || =3.2.2+dfsg1-1 || =3.2.3+dfsg1-1 || =3.2.4-1 || =3.2.5-1 || =3.2.6-1 || =3.2.6-2 || =3.2.7-1 || =3.2.7-2 || =3.2.8-1 || =3.2.9-1 || =3.2.9-2 || =3.3.1-1 || =3.3.10-1 || =3.3.11-1 || =3.3.18-1~deb7u1 || =3.3.18-1~deb7u2 || =3.3.18-1~deb7u3 || =3.3.2-1 || =3.3.3-1 || =3.3.3-2 || =3.3.3-3 || =3.3.4-1 || =3.3.5-1 || =3.3.6-1 || =3.3.7-1 || =3.3.7-2 || =3.3.8-1 || =3.3.9-1 || =3.3.9-2 || =3.3.9-3 || =3.3.9-3~bpo70+1 || =4.0.10-1 || =4.0.11-1 || =4.0.12-1 || =4.0.13-1 || =4.0.13-1~bpo8+1 || =4.0.5-1 || =4.0.5-2 || =4.0.6-1 || =4.0.7-1 || =4.0.7-2 || =4.0.8-1 || =4.0.9-1 || =5.0.1-1 || =5.0.1-2 || =5.0.10-1 || =5.0.10-1~bpo8+1 || =5.0.11-1 || =5.0.12-1 || =5.0.13-1 || =5.0.13-1~bpo8+1 || =5.0.13-2 || =5.0.14-1 || =5.0.14-1~bpo8+1 || =5.0.15-1 || =5.0.16-1 || =5.0.16-1~bpo8+1 || =5.0.17-1 || =5.0.18-1 || =5.0.19-1 || =5.0.2-1 || =5.0.20-1 || =5.0.21-1 || =5.0.21-1~bpo9+1 || =5.0.22-1 || =5.0.23-1 || =5.0.23-1~bpo9+1 || =5.0.24-1 || =5.0.24-1~bpo9+1 || =5.0.3-1 || =5.0.5-1 || =5.0.6-1 || =5.0.6-1~bpo8+1 || =5.0.7-1 || =5.0.8+dfsg1-1 || =5.0.8-1 || =5.0.8-1~bpo8+1 || =5.0.9+dfsg1-1 || =5.0.9+repack1-1 || =6.0.1-1 || =6.0.10-1 || =6.0.11-1 || =6.0.11-1~bpo9+1 || =6.0.12-1 || =6.0.12-1~bpo9+1 || =6.0.13-1 || =6.0.14-1 || =6.0.15-1 || =6.0.16-1 || =6.0.16-2 || =6.0.17-1 || =6.0.18-1 || =6.0.19-1 || =6.0.2-1 || =6.0.20-1 || =6.0.20-1~bpo10+1 || =6.0.21-1 || =6.0.22-1 || =6.0.23-1 || =6.0.23-2 || =6.0.24-1 || =6.0.24-1~bpo10+1 || =6.0.25-1 || =6.0.25-2 || =6.0.25-3 || =6.0.25-3~bpo10+1 || =6.0.26-1 || =6.0.26-1~bpo10+1 || =6.0.27-1 || =6.0.27-1~bpo10+1 || =6.0.28-1 || =6.0.28-1~bpo10+1 || =6.0.28-2 || =6.0.29-1 || =6.0.29-1~bpo10+1 || =6.0.3-1 || =6.0.30-1 || =6.0.30-1~bpo10+1 || =6.0.30-2 || =6.0.32-1 || =6.0.32-2 || =6.0.32-2~bpo10+1 || =6.0.32-4 || =6.0.32-5 || =6.0.32-5~bpo10+1 || =6.0.32-6 || =6.0.36-2 || =6.0.36-2~bpo11+1 || =6.0.4-1 || =6.0.5-1 || =6.0.6-1 || =6.0.7-1 || =6.0.8-1 || =6.0.8-1~bpo9+1 || =6.0.9-1 || =6.0.9-1~bpo9+1 || =6.1.2-1 || =6.1.2-1~bpo11+1 || =6.2.1-1 || =6.2.2-1 || =6.2.2-2 || =6.3.1-1 || =6.3.2-1 | - | |
 rubygems | >=0 <7.0.0 | 7.0.0 | |
 npm | >=0 <1.13.0 | 1.13.0 | |
 maven | >=0 <1.13.0 | 1.13.0 | |
 nuget | >=0 <1.13.0 | 1.13.0 | |
debian 13 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
debian 11 | =1.12.1+dfsg-8 || >=0 <1.12.1+dfsg-8+deb11u1 | 1.12.1+dfsg-8+deb11u1 |
Aliases
References
1. https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b632. https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/3. https://security.netapp.com/advisory/ntap-20211118-0004/4. https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/5. https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/6. https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/7. https://www.drupal.org/sa-core-2022-0028. https://github.com/aredspy/CVE-2021-411829. https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc10. https://www.oracle.com/security-alerts/cpujul2022.html11. https://www.oracle.com/security-alerts/cpuapr2022.html12. https://security.netapp.com/advisory/ntap-20211118-000413. https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES14. https://lists.fedoraproject.org/archives/list/[email protected]/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL415. https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ16. https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW17. https://lists.fedoraproject.org/archives/list/[email protected]/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE318. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES19. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL420. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ21. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW22. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE323. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2021-41182.yml24. https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.