Описание
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| drupal7 | removed | package | ||
| jqueryui | fixed | 1.13.0+dfsg-1 | package | |
| jqueryui | fixed | 1.12.1+dfsg-8+deb11u1 | bullseye | package |
| jqueryui | no-dsa | stretch | package | |
| otrs2 | fixed | 6.3.1-1 | package | |
| otrs2 | no-dsa | bullseye | package | |
| otrs2 | no-dsa | stretch | package |
Примечания
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
https://bugs.jqueryui.com/ticket/15284
https://github.com/jquery/jquery-ui/pull/1953
https://www.drupal.org/sa-core-2022-001
https://www.znuny.org/en/advisories/zsa-2022-01
EPSS
Связанные уязвимости
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
XSS in `*Text` options of the Datepicker widget in jquery-ui
EPSS