6.1

CVE-2022-31160

Exploit

jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JqueryuiJquery Ui SwPlatformjquery Version < 1.13.2
NetappH300s Firmware Version-
   NetappH300s Version-
NetappH500s Firmware Version-
   NetappH500s Version-
NetappH700s Firmware Version-
   NetappH700s Version-
NetappH410s Firmware Version-
   NetappH410s Version-
NetappH410c Firmware Version-
   NetappH410c Version-
NetappOncommand Insight Version-
DrupalJquery Ui Checkboxradio Version8.x-1.0 SwPlatformdrupal
DrupalJquery Ui Checkboxradio Version8.x-1.1 SwPlatformdrupal
DrupalJquery Ui Checkboxradio Version8.x-1.2 SwPlatformdrupal
DrupalJquery Ui Checkboxradio Version8.x-1.3 SwPlatformdrupal
FedoraprojectFedora Version35
FedoraprojectFedora Version36
FedoraprojectFedora Version37
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.93% 0.775
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
Vendor Advisory
Release Notes
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
Patch
Third Party Advisory
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
Third Party Advisory
Exploit
Release Notes
Mitigation
https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
https://security.netapp.com/advisory/ntap-20220909-0007/
Third Party Advisory
https://www.drupal.org/sa-contrib-2022-052
Third Party Advisory