jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text
options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text
options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text
options from untrusted sources.
{ "cpes": [ "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*" ], "severity": "Medium" }