DRUPAL-CORE-2022-001

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a [jQuery UI 1.13.0](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/) version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7: * CVE-2021-41184: [XSS in the `of` option of the `.position()` util](https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327) It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal. This advisory is not covered by [Drupal Steward](/steward).