CVE-2021-41183

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions jQuery UI versions prior to 1.13.0

Description Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker with options such as closeText, currentText, prevText, nextText, buttonText, or appendText set to untrusted input can lead to code execution. The issue is fixed in jQuery UI 1.13.0, where the values passed to these options are now treated as pure text, not HTML.

Recommendations For versions prior to 1.13.0, a workaround is to not accept the value of the *Text options from untrusted sources. Update to jQuery UI 1.13.0 or later to fix the issue.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2023-6282

ALT-PU-2023-6850

BIT-DRUPAL-2021-41183

CVE-2021-41183

DLA-2889-1

DLA-3230-1

DLA-3551-1

GHSA-J7QV-PGF6-HVH4

OESA-2022-1693

RHSA-2022:4711

SUSE-SU-2022:1729-1

USN-6419-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Ubuntu

Jquery Ui

CVE-2021-41183

Weakness Enumeration

Related Identifiers

Affected Products

References · 91