CVE-2022-31160

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-31160

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31160.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-31160

Aliases

GHSA-h6gj-6jjq-h8g9

Related

Published

2022-07-20T20:15:08Z

Modified

2024-09-18T03:20:33.311690Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

References

Affected packages

Debian:11 / jqueryui

Package

Name: jqueryui
Purl: pkg:deb/debian/jqueryui?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.1+dfsg-8+deb11u2

Affected versions

1.*

1.12.1+dfsg-8

1.12.1+dfsg-8+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jqueryui

Package

Name: jqueryui
Purl: pkg:deb/debian/jqueryui?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jqueryui

Package

Name: jqueryui
Purl: pkg:deb/debian/jqueryui?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.13.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/jquery/jquery-ui

Affected ranges

Type: GIT
Repo: https://github.com/jquery/jquery-ui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

Affected versions

1.*

1.5.1

1.5.2

1.6

1.6rc2

1.6rc3

1.6rc5

1.6rc6

1.7

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8a1

1.8a2

1.8b1

1.8rc1

1.8rc2

1.8rc3

1.9.0-beta.1

1.9.0m8

1.9m4

1.9m5

1.9m6

1.9m7