CVE-2022-31160

20.07.2022, 20:15

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_M	CNA	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Vendor	Product	Version
jqueryui	jquery_ui	𝑥 < 1.13.2
netapp	h300s_firmware	-
netapp	h500s_firmware	-
netapp	h700s_firmware	-
netapp	h410s_firmware	-
netapp	h410c_firmware	-
netapp	oncommand_insight	-
drupal	jquery_ui_checkboxradio	8.x-1.0:x
drupal	jquery_ui_checkboxradio	8.x-1.1:x
drupal	jquery_ui_checkboxradio	8.x-1.2:x
drupal	jquery_ui_checkboxradio	8.x-1.3:x
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jqueryui

bullseye	1.12.1+dfsg-8+deb11u2 fixed
sid	1.13.2+dfsg-1 fixed
trixie	1.13.2+dfsg-1 fixed
bookworm	1.13.2+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

jqueryui

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	ignored
jammy	Fixed 1.13.1+dfsg-1ubuntu0.1~esm1 released
focal	Fixed 1.12.1+dfsg-5ubuntu0.20.04.1 released
bionic	Fixed 1.12.1+dfsg-5ubuntu0.18.04.1~esm2 released
xenial	not-affected
trusty	not-affected