CVE-2022-31160

Опубликовано: 20 июл. 2022

Источник: nvd

CVSS3: 6.1

EPSS Средний

Описание

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Ссылки

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
Release Notes
Vendor Advisory
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
Patch
Third Party Advisory
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
Exploit
Mitigation
Release Notes
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
https://security.netapp.com/advisory/ntap-20220909-0007/
Third Party Advisory
https://www.drupal.org/sa-contrib-2022-052
Third Party Advisory
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
Release Notes
Vendor Advisory
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
Patch
Third Party Advisory
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
Exploit
Mitigation
Release Notes
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
https://security.netapp.com/advisory/ntap-20220909-0007/
Third Party Advisory
https://www.drupal.org/sa-contrib-2022-052
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*

Версия до 1.13.2 (исключая)

Конфигурация 2

Одновременно

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Конфигурация 4

Одновременно

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Конфигурация 5

Одновременно

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Конфигурация 6

Одновременно

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Конфигурация 7

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

Конфигурация 8

Одно из

cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*

cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*

cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*

cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*

Конфигурация 9

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

Конфигурация 10

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 93%

0.10183

Средний

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2022-31160

CVSS3: 6.1

ubuntu

больше 3 лет назад

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

CVE-2022-31160

CVSS3: 6.1

redhat

больше 3 лет назад

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

CVE-2022-31160

CVSS3: 6.1

debian

больше 3 лет назад

jQuery UI is a curated set of user interface interactions, effects, wi ...

GHSA-h6gj-6jjq-h8g9

CVSS3: 6.1

github

больше 3 лет назад

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label

EPSS

Процентиль: 93%

0.10183

Средний

6.1 Medium

CVSS3

Дефекты

CWE-79