CVE-2021-41183

Опубликовано: 26 окт. 2021

Источник: nvd

CVSS3: 6.5

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Ссылки

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
Release Notes
Vendor Advisory
https://bugs.jqueryui.com/ticket/15284
Issue Tracking
Vendor Advisory
https://github.com/jquery/jquery-ui/pull/1953
Patch
Third Party Advisory
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
Exploit
Mitigation
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
Mailing List
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211118-0004/
Third Party Advisory
https://www.drupal.org/sa-contrib-2022-004
Third Party Advisory
https://www.drupal.org/sa-core-2022-001
Third Party Advisory
https://www.drupal.org/sa-core-2022-002
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory
https://www.tenable.com/security/tns-2022-09
Patch
Release Notes
Third Party Advisory
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
Release Notes
Vendor Advisory
https://bugs.jqueryui.com/ticket/15284
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*

Версия до 1.13.0 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Конфигурация 7

Одновременно

cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Конфигурация 8

Одновременно

cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Конфигурация 9

Одновременно

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Конфигурация 10

Одновременно

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Конфигурация 11

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 12

Одно из

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Версия от 7.0 (включая) до 7.86 (исключая)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Версия от 9.2.0 (включая) до 9.2.11 (исключая)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Версия от 9.3.0 (включая) до 9.3.3 (исключая)

Конфигурация 13

Одно из

cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

Версия до 22.1.1 (исключая)

cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*

Версия до 23.1 (исключая)

cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:*

Версия от 8.11.0 (включая) до 11.14.0 (включая)

cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*

Версия до 9.2.6.3 (включая)

cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Версия до 8.0.29 (включая)

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*

cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*

Версия от 12.2.0 (включая) до 12.2.5 (включая)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*

Версия от 17.7 (включая) до 17.12 (включая)

cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*

Версия до 22.1.1 (исключая)

cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Конфигурация 14

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

Версия до 5.21.0 (исключая)

EPSS

Процентиль: 81%

0.01668

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2021-41183

CVSS3: 6.5

ubuntu

больше 3 лет назад

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

CVE-2021-41183

CVSS3: 6.5

redhat

больше 3 лет назад

CVE-2021-41183

CVSS3: 6.5

debian

больше 3 лет назад

jQuery-UI is the official jQuery user interface library. Prior to vers ...

GHSA-j7qv-pgf6-hvh4

CVSS3: 6.5

github

больше 3 лет назад

XSS in `*Text` options of the Datepicker widget in jquery-ui

EPSS

Процентиль: 81%

0.01668

Низкий

6.5 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79