DRUPAL-CONTRIB-2022-004

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jquery_ui_datepicker/DRUPAL-CONTRIB-2022-004.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-004

Published

2022-01-19T15:33:50Z

Modified

2025-12-10T23:32:05.732619Z

Summary

[none]

Details

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:

CVE-2021-41182: XSS in the altField option of the Datepicker widget
CVE-2021-41183: XSS in *Text options of the Datepicker widget

References

https://www.drupal.org/sa-contrib-2022-004

Credits

- Lauri Eskola
- - https://www.drupal.org/user/1078742

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/jquery_ui_datepicker

Package

Name: drupal/jquery_ui_datepicker
Purl: pkg:composer/drupal/jquery_ui_datepicker

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/jquery_ui_datepicker/DRUPAL-CONTRIB-2022-004.json"