CVE-2022-31160

Published: Jul 20, 2022Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Affected (15)

Products: Jqueryui: Jquery Ui · Netapp: H300s Firmware, H500s Firmware, H700s Firmware, H410s Firmware, H410c Firmware, Oncommand Insight · Drupal: Jquery Ui Checkboxradio · +2 more

Show all products

Jqueryui: Jquery Ui · Netapp: H300s Firmware, H500s Firmware, H700s Firmware, H410s Firmware, H410c Firmware, Oncommand Insight · Drupal: Jquery Ui Checkboxradio · Fedoraproject: Fedora · Debian: Debian Linux

1 product

6 products

Oncommand Insight

1 product

Jquery Ui Checkboxradio

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jqueryui Jquery Ui	Before 1.13.2

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H300s Firmware	All versions

Running on/with	Platform Versions
Netapp H300s	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H500s Firmware	All versions

Running on/with	Platform Versions
Netapp H500s	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H700s Firmware	All versions

Running on/with	Platform Versions
Netapp H700s	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410s Firmware	All versions

Running on/with	Platform Versions
Netapp H410s	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410c Firmware	All versions

Running on/with	Platform Versions
Netapp H410c	All versions

Configuration G

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Insight	All versions

Configuration H

4 vulnerable

Vulnerable Software	Affected Versions
Drupal Jquery Ui Checkboxradio	Version 8.x-1.0
Drupal Jquery Ui Checkboxradio	Version 8.x-1.1
Drupal Jquery Ui Checkboxradio	Version 8.x-1.2
Drupal Jquery Ui Checkboxradio	Version 8.x-1.3

Configuration I

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36
Fedoraproject Fedora	Version 37

Configuration J

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (18)

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

Source: security-advisories@github.com

Release NotesVendor Advisory

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

Source: security-advisories@github.com

ExploitMitigationRelease NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html

Source: security-advisories@github.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/

Source: security-advisories@github.com

https://security.netapp.com/advisory/ntap-20220909-0007/

Source: security-advisories@github.com

Third Party Advisory

https://www.drupal.org/sa-contrib-2022-052

Source: security-advisories@github.com

Third Party Advisory

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationRelease NotesThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20220909-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.drupal.org/sa-contrib-2022-052

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.