CPANSA-Yukki-2021-41182-jqueryui: Yukki vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2021-10-26T00:00:00	Engine	CSAF Perl Toolkit 0.26
Current release date	2021-10-26T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	6.5	Severity	Medium
Original language		Language	en
Also referred to

Vulnerability Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

Vulnerabilities

CVE-2021-41182

Vulnerability Description

Weakness	CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Known affected

Product

Score

Yukki greater than or equal 0.0.121700 and less than or equal 0.140290

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	6.5	Medium
2.0	AV:N/AC:M/Au:N/C:N/I:P/A:N	4.3	Medium

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Yukki-2021-41182-jqueryui JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2021/cpansa-yukki-2021-41182-jqueryui.json
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc external
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 external
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ external
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
https://security.netapp.com/advisory/ntap-20211118-0004/ external
https://security.netapp.com/advisory/ntap-20211118-0004/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ external
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ external
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ external
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
https://www.drupal.org/sa-contrib-2022-004 external
https://www.drupal.org/sa-contrib-2022-004
https://www.drupal.org/sa-core-2022-002 external
https://www.drupal.org/sa-core-2022-002
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html external
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
https://www.oracle.com/security-alerts/cpuapr2022.html external
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.tenable.com/security/tns-2022-09 external
https://www.tenable.com/security/tns-2022-09
CVE-2021-41182 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2021-41182

Revision history

Version	Date of the revision	Summary of the revision
1	Tue Oct 26 00:00:00 2021	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/