XSS in `*Text` options of the Datepicker widget
CVE-2021-41183

6.5MEDIUM

Key Information:

Vendor: Jquery
Status: Jquery-ui
Vendor: CVE Published:; 26 October 2021

Summary

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Affected Version(s)

jquery-ui < 1.13.0

References

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

https://github.com/jquery/jquery-ui/security/advisories/G...

https://github.com/jquery/jquery-ui/pull/1953

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 26, 2021
Vulnerability Reserved
Sep 15, 2021