Reflected cross-site scripting (XSS) In drupal/jquery_ui_datepicker
Description
jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.
jQuery UI was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:
CVE-2021-41182: XSS in the altField option of the Datepicker widget
CVE-2021-41183: XSS in *Text options of the Datepicker widget
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 1.2.0 |
Aliases