CVE-2022-31160

Exploit

EPSS 10.94%
Veröffentlicht 20.07.2022 20:15:08
Zuletzt bearbeitet 21.11.2024 07:04:01
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 12

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jqueryui ≫ Jquery Ui SwPlatformjquery Version < 1.13.2

Netapp ≫ H300s Firmware Version-

Netapp ≫ H300s Version-

Netapp ≫ H500s Firmware Version-

Netapp ≫ H500s Version-

Netapp ≫ H700s Firmware Version-

Netapp ≫ H700s Version-

Netapp ≫ H410s Firmware Version-

Netapp ≫ H410s Version-

Netapp ≫ H410c Firmware Version-

Netapp ≫ H410c Version-

Netapp ≫ Oncommand Insight Version-

Drupal ≫ Jquery Ui Checkboxradio Version8.x-1.0 SwPlatformdrupal

Drupal ≫ Jquery Ui Checkboxradio Version8.x-1.1 SwPlatformdrupal

Drupal ≫ Jquery Ui Checkboxradio Version8.x-1.2 SwPlatformdrupal

Drupal ≫ Jquery Ui Checkboxradio Version8.x-1.3 SwPlatformdrupal

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	10.94%	0.931

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

Vendor Advisory

Release Notes

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

Patch

Third Party Advisory

https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

Third Party Advisory

Exploit

Release Notes

Mitigation

https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html