GHSA-9gj3-hwp5-pmwc

Опубликовано: 26 окт. 2021

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

XSS in the altField option of the Datepicker widget in jquery-ui

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Ссылки

Пакеты

Наименование

jquery-ui

npm

Затронутые версииВерсия исправления

< 1.13.0

1.13.0

Наименование

jQuery.UI.Combined

nuget

Затронутые версииВерсия исправления

< 1.13.0

1.13.0

Наименование

jquery-ui-rails

rubygems

Затронутые версииВерсия исправления

< 7.0.0

7.0.0

Наименование

org.webjars.npm:jquery-ui

maven

Затронутые версииВерсия исправления

< 1.13.0

1.13.0

EPSS

Процентиль: 96%

0.23693

Средний

6.5 Medium

CVSS3

CVE ID

CVE-2021-41182

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-41182

CVSS3: 6.5

ubuntu

больше 3 лет назад

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.