Plateforme
javascript
Composant
jquery-ui
Corrigé dans
1.13.0
CVE-2021-41184 describes a cross-site scripting (XSS) vulnerability found in the .position() utility of the jQuery UI library. This vulnerability could potentially be exploited in Drupal to inject malicious scripts into web pages. Drupal Core versions up to and including 9.3.2 are affected. The vulnerability is fixed in Drupal version 9.2.11.
CVE-2021-41184 in jQuery UI affects the .position() function when the of option's value is sourced from untrusted origins. This vulnerability allows for arbitrary code execution if an attacker can control the value of of. Specifically, by injecting malicious code within an HTML tag (such as an <img> tag with an onerror attribute) and passing it as the value of of, that code can be triggered when jQuery UI processes the position() option. This could result in sensitive information theft, application behavior modification, or even complete system control.
An attacker could exploit this vulnerability by injecting malicious code into a web page that utilizes jQuery UI. For example, if a web application allows users to input text that is subsequently used in the .position() function, an attacker could inject malicious HTML code into the input field. When the application processes this text and uses it as the value of of, the malicious code will execute. This vulnerability is particularly concerning in web applications that handle user data without proper validation.
Statut de l'Exploit
EPSS
25.37% (percentile 96%)
Vecteur CVSS
The fix for this vulnerability is to upgrade to jQuery UI version 1.13.0 or higher. This version implements validation to ensure the of option's value is a safe string, preventing the interpretation of malicious HTML code. If an immediate upgrade isn't possible, rigorously validate and sanitize any values originating from external sources before passing them as the of option's value. Additionally, review existing code for potential vulnerable entry points and apply additional mitigation measures.
Actualice jQuery UI a la versión 1.13.0 o posterior. Esta versión trata todos los valores pasados a la opción 'of' como selectores CSS, mitigando la vulnerabilidad de XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
jQuery UI is a JavaScript library of UI widgets, providing a wide range of components and visual effects to ease the creation of interactive web interfaces.
Version 1.13.0 fixes the CVE-2021-41184 vulnerability, which allows for arbitrary code execution. Upgrading is essential to protect your application from potential attacks.
If you can't upgrade immediately, rigorously validate and sanitize any values originating from external sources before passing them as the of option's value.
Review your code to identify any usage of the .position() function where the of option's value is sourced from untrusted origins.
Static code analysis tools can help identify the usage of the .position() function with untrusted of values.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.