Debian 10 Buster: DLA-3230-1 Critical: jQuery-UI Code Execution
debian lts
December 7, 2022
jQuery-UI, the official jQuery user interface library, is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery were reported to have th...
Summary
CVE-2021-41182
jQuery-UI was accepting the value of the `altField` option of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `altField`
option is now treated as a CSS selector.
CVE-2021-41183
jQuery-UI was accepting the value of various `*Text` options of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now the values passed to various `*Text`
options are now always treated as pure text, not HTML.
CVE-2021-41184
jQuery-UI was accepting the value of the `of` option of the
`.position()` util from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `of`
option is now treated as a CSS selector.
CVE-2022-31160
jQuery-UI was potentially vulnerable to cross-site scripting.
Initializing a checkboxradio widget on an input enclosed within a
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: jqueryui
Version: 1.12.1+dfsg-5+deb10u1
CVE ID: CVE-2021-41182 CVE-2021-41183 CVE-2021-41184
Debian Bug: 1015982
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!