PT-2021-23156 · Jquery+5 · Jquery Ui+5

Published

2021-10-26

Updated

2026-03-10

CVE-2021-41182

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions jQuery UI versions prior to 1.13.0

Description Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker with an altField option set to an untrusted string, such as <img onerror='doEvilThing()' src='/404' />, will call the doEvilThing function. The issue is fixed in jQuery UI 1.13.0, where any string value passed to the altField option is now treated as a CSS selector.

Recommendations To resolve the issue, update to jQuery UI version 1.13.0 or later. As a temporary workaround, do not accept the value of the altField option from untrusted sources. Restrict access to the altField option to minimize the risk of exploitation. Avoid using untrusted strings in the altField option until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2025_16880

ALT-PU-2023-6282

ALT-PU-2023-6850

BIT-DRUPAL-2021-41182

CVE-2021-41182

DLA-2889-1

DLA-3230-1

DLA-3551-1

GHSA-9GJ3-HWP5-PMWC

RHSA-2022:4711

SUSE-SU-2022:1729-1

USN-6419-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Ubuntu

Jquery Ui

PT-2021-23156 · Jquery+5 · Jquery Ui+5

CVE-2021-41182

Weakness Enumeration

Related Identifiers

Affected Products

References · 87