CVE-2021-41183

CVE-2021-41183

Name

CVE-2021-41183

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://bugs.jqueryui.com/ticket/15284
MISC	https://github.com/jquery/jquery-ui/pull/1953
CONFIRM	https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
MISC	https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
Third Party Advisory	https://security.netapp.com/advisory/ntap-20211118-0004/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
Mailing List	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
Third Party Advisory	https://www.drupal.org/sa-contrib-2022-004
Third Party Advisory	https://www.drupal.org/sa-core-2022-001
Third Party Advisory	https://www.drupal.org/sa-core-2022-002
Mailing List	https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html
CONFIRM	https://www.tenable.com/security/tns-2022-09

Type

URI

MISC

https://bugs.jqueryui.com/ticket/15284

MISC

https://github.com/jquery/jquery-ui/pull/1953

CONFIRM

https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4

MISC

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211118-0004/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

Third Party Advisory

https://www.drupal.org/sa-contrib-2022-004

Third Party Advisory

https://www.drupal.org/sa-core-2022-001

Third Party Advisory

https://www.drupal.org/sa-core-2022-002

Mailing List

https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

CONFIRM

https://www.tenable.com/security/tns-2022-09

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:jquery:jquery_ui::::::::`	jquery_ui	>= None	< 1.13.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:jquery:jquery_ui:*:*:*:*:*:*:*:*

jquery_ui

>= None

< 1.13.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
drupal7	edge-community	7.86-r0	None	fixed
drupal7	3.20-community	7.86-r0	None	fixed
drupal7	3.19-community	7.86-r0	None	fixed
drupal7	3.18-community	7.86-r0	None	fixed
drupal7	3.17-community	7.86-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

drupal7

edge-community

7.86-r0

None

fixed

drupal7

3.20-community