Reflected cross-site scripting (XSS) In jquery-ui
Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | >=0 <1.13.0 | 1.13.0 | |
 debian 12 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
 packagist | >=7.0 <7.86 || >=9.2.0 <9.2.11 || >=9.3.0 <9.3.3 | 8.0.0 | |
 rubygems | >=0 <7.0.0 | 7.0.0 | |
debian 13 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
 maven | >=0 <1.13.0 | 1.13.0 | |
debian 11 | =2.0.4p01-10 || =2.0.4p01-11 || =2.0.4p01-12 || =2.0.4p01-13 || =2.0.4p01-14 || =2.0.4p01-14.1 || =2.0.4p01-15 || =2.0.4p01-16 || =2.0.4p01-17 || =2.0.4p01-18 || =2.0.4p01-6 || =2.0.4p01-7 || =2.0.4p01-8 || =2.0.4p01-9 || =2.0.99beta1-1 || =2.0.99beta1-2 || =2.1.1-1 || =2.1.3-1 || =2.1.4-1 || =2.1.4-2 || =2.1.5-1 || =2.1.5-2 || =2.1.5-3 || =2.1.6-1 || =2.1.7-1 || =2.1.7-2 || =2.2.0~beta2-1 || =2.2.0~beta3-1 || =2.2.1-1 || =2.2.2-1 || =2.2.3-1 || =2.2.4-1 || =2.2.5-1 || =2.2.5-2 || =2.2.6-1 || =2.2.7-1 || =2.2.7-2 || =2.2.7-2lenny1 || =2.2.7-2lenny2 || =2.2.7-2lenny3 || =2.2.7-3 || =2.3.2-1 || =2.3.2-2 || =2.3.3-1 || =2.3.4-1 || =2.3.4-2 || =2.3.4-3 || =2.3.4-4 || =2.3.4-5 || =2.3.4-6 || =2.3.4-7 || =2.4.10+dfsg1-1 || =2.4.10+dfsg1-2 || =2.4.10+dfsg1-3 || =2.4.5-1 || =2.4.5-2 || =2.4.5-3 || =2.4.5-4 || =2.4.5-5 || =2.4.6-1 || =2.4.6-2 || =2.4.7+dfsg1-1 || =2.4.7-1 || =2.4.7-2 || =2.4.7-3 || =2.4.7-4 || =2.4.7-5 || =2.4.7-6 || =2.4.8+dfsg1-1 || =2.4.9+dfsg1-1 || =2.4.9+dfsg1-2 || =2.4.9+dfsg1-3 || =2.4.9+dfsg1-3+squeeze1 || =2.4.9+dfsg1-3+squeeze3 || =2.4.9+dfsg1-3+squeeze4 || =2.4.9+dfsg1-3+squeeze5 || =2.4.9+dfsg1-4 || =2.4.9+dfsg1-5 || =3.0.10+dfsg1-1 || =3.0.10+dfsg1-2 || =3.0.11+dfsg1-1 || =3.0.8+dfsg1-1 || =3.0.9+dfsg1-1 || =3.1.0~beta4+dfsg1-1 || =3.1.0~beta5+dfsg1-1 || =3.1.0~rc1+dfsg1-1 || =3.1.1+dfsg1-1 || =3.1.1+dfsg1-2 || =3.1.10+dfsg1-1 || =3.1.11+dfsg1-1 || =3.1.12+dfsg1-1 || =3.1.12+dfsg1-2 || =3.1.12+dfsg1-3 || =3.1.2+dfsg1-1 || =3.1.2+dfsg1-2 || =3.1.2+dfsg1-3 || =3.1.3+dfsg1-1 || =3.1.3+dfsg1-2 || =3.1.4+dfsg1-1 || =3.1.5+dfsg1-1 || =3.1.5+dfsg1-2 || =3.1.5+dfsg1-3 || =3.1.6+dfsg1-1 || =3.1.7+dfsg1-1 || =3.1.7+dfsg1-2 || =3.1.7+dfsg1-3 || =3.1.7+dfsg1-4 || =3.1.7+dfsg1-5 || =3.1.7+dfsg1-6 || =3.1.7+dfsg1-7 || =3.1.7+dfsg1-8 || =3.1.8+dfsg1-1 || =3.1.9+dfsg1-1 || =3.2.1+dfsg1-1 || =3.2.10-1 || =3.2.10-2 || =3.2.11-1 || =3.2.11-1~bpo70+1 || =3.2.12-1 || =3.2.2+dfsg1-1 || =3.2.3+dfsg1-1 || =3.2.4-1 || =3.2.5-1 || =3.2.6-1 || =3.2.6-2 || =3.2.7-1 || =3.2.7-2 || =3.2.8-1 || =3.2.9-1 || =3.2.9-2 || =3.3.1-1 || =3.3.10-1 || =3.3.11-1 || =3.3.18-1~deb7u1 || =3.3.18-1~deb7u2 || =3.3.18-1~deb7u3 || =3.3.2-1 || =3.3.3-1 || =3.3.3-2 || =3.3.3-3 || =3.3.4-1 || =3.3.5-1 || =3.3.6-1 || =3.3.7-1 || =3.3.7-2 || =3.3.8-1 || =3.3.9-1 || =3.3.9-2 || =3.3.9-3 || =3.3.9-3~bpo70+1 || =4.0.10-1 || =4.0.11-1 || =4.0.12-1 || =4.0.13-1 || =4.0.13-1~bpo8+1 || =4.0.5-1 || =4.0.5-2 || =4.0.6-1 || =4.0.7-1 || =4.0.7-2 || =4.0.8-1 || =4.0.9-1 || =5.0.1-1 || =5.0.1-2 || =5.0.10-1 || =5.0.10-1~bpo8+1 || =5.0.11-1 || =5.0.12-1 || =5.0.13-1 || =5.0.13-1~bpo8+1 || =5.0.13-2 || =5.0.14-1 || =5.0.14-1~bpo8+1 || =5.0.15-1 || =5.0.16-1 || =5.0.16-1~bpo8+1 || =5.0.17-1 || =5.0.18-1 || =5.0.19-1 || =5.0.2-1 || =5.0.20-1 || =5.0.21-1 || =5.0.21-1~bpo9+1 || =5.0.22-1 || =5.0.23-1 || =5.0.23-1~bpo9+1 || =5.0.24-1 || =5.0.24-1~bpo9+1 || =5.0.3-1 || =5.0.5-1 || =5.0.6-1 || =5.0.6-1~bpo8+1 || =5.0.7-1 || =5.0.8+dfsg1-1 || =5.0.8-1 || =5.0.8-1~bpo8+1 || =5.0.9+dfsg1-1 || =5.0.9+repack1-1 || =6.0.1-1 || =6.0.10-1 || =6.0.11-1 || =6.0.11-1~bpo9+1 || =6.0.12-1 || =6.0.12-1~bpo9+1 || =6.0.13-1 || =6.0.14-1 || =6.0.15-1 || =6.0.16-1 || =6.0.16-2 || =6.0.17-1 || =6.0.18-1 || =6.0.19-1 || =6.0.2-1 || =6.0.20-1 || =6.0.20-1~bpo10+1 || =6.0.21-1 || =6.0.22-1 || =6.0.23-1 || =6.0.23-2 || =6.0.24-1 || =6.0.24-1~bpo10+1 || =6.0.25-1 || =6.0.25-2 || =6.0.25-3 || =6.0.25-3~bpo10+1 || =6.0.26-1 || =6.0.26-1~bpo10+1 || =6.0.27-1 || =6.0.27-1~bpo10+1 || =6.0.28-1 || =6.0.28-1~bpo10+1 || =6.0.28-2 || =6.0.29-1 || =6.0.29-1~bpo10+1 || =6.0.3-1 || =6.0.30-1 || =6.0.30-1~bpo10+1 || =6.0.30-2 || =6.0.32-1 || =6.0.32-2 || =6.0.32-2~bpo10+1 || =6.0.32-4 || =6.0.32-5 || =6.0.32-5~bpo10+1 || =6.0.32-6 || =6.0.36-2 || =6.0.36-2~bpo11+1 || =6.0.4-1 || =6.0.5-1 || =6.0.6-1 || =6.0.7-1 || =6.0.8-1 || =6.0.8-1~bpo9+1 || =6.0.9-1 || =6.0.9-1~bpo9+1 || =6.1.2-1 || =6.1.2-1~bpo11+1 || =6.2.1-1 || =6.2.2-1 || =6.2.2-2 || =6.3.1-1 || =6.3.2-1 | - | |
 nuget | >=0 <1.13.0 | 1.13.0 | |
debian 14 | >=0 <1.13.0+dfsg-1 | 1.13.0+dfsg-1 | |
debian 11 | =1.12.1+dfsg-8 || >=0 <1.12.1+dfsg-8+deb11u1 | 1.12.1+dfsg-8+deb11u1 |
Aliases
References
1. https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-53272. https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f2803. https://www.oracle.com/security-alerts/cpujul2022.html4. https://www.oracle.com/security-alerts/cpuapr2022.html5. https://www.drupal.org/sa-core-2022-0016. https://security.netapp.com/advisory/ntap-20211118-00047. https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES8. https://lists.fedoraproject.org/archives/list/[email protected]/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL49. https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ10. https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW11. https://lists.fedoraproject.org/archives/list/[email protected]/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE312. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES13. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL414. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ15. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW16. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE317. https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released18. http://seclists.org/fulldisclosure/2024/Aug/3719. https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-4118420. https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/21. https://security.netapp.com/advisory/ntap-20211118-0004/22. https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/23. https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/24. https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.