GHSA-hpcf-8vf9-q4gj

Suggest an improvement
Source
https://github.com/advisories/GHSA-hpcf-8vf9-q4gj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hpcf-8vf9-q4gj/GHSA-hpcf-8vf9-q4gj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hpcf-8vf9-q4gj
Aliases
Published
2017-10-24T18:33:35Z
Modified
2024-03-11T05:20:56.476279Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
jQuery-UI vulnerable to Cross-site Scripting in dialog closeText
Details

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

Database specific
{
    "nvd_published_at": "2017-03-15T16:59:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:44Z"
}
References

Affected packages

npm / jquery-ui

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0

RubyGems / jquery-ui-rails

Package

Name
jquery-ui-rails
Purl
pkg:gem/jquery-ui-rails

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0

Affected versions

0.*

0.0.1
0.0.2
0.1.0
0.2.0
0.2.1
0.2.2
0.3.0
0.4.0
0.4.1
0.5.0

1.*

1.0.0
1.1.0
1.1.1

2.*

2.0.0
2.0.1
2.0.2

3.*

3.0.0
3.0.1

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5

Maven / org.webjars.npm:jquery-ui

Package

Name
org.webjars.npm:jquery-ui
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.npm/jquery-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0

Affected versions

1.*

1.10.4
1.10.5
1.12.0-rc.2

NuGet / jQuery.UI.Combined

Package

Name
jQuery.UI.Combined
View open source insights on deps.dev
Purl
pkg:nuget/jQuery.UI.Combined

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.12.0

Affected versions

1.*

1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.8.20
1.8.20.1
1.8.21
1.8.22
1.8.23
1.8.24
1.9.0-RC1
1.9.0
1.9.1
1.9.2
1.10.0
1.10.1
1.10.2
1.10.3
1.10.4
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4