PT-2021-7968 · Jquery-Ui+5 · Jquery Ui+5

Published

2021-05-04

Updated

2026-03-01

CVE-2021-41184

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions jQuery UI versions prior to 1.13.0

Description The issue is related to the .position() util in jQuery UI, where accepting the value of the of option from untrusted sources may execute untrusted code. Any string value passed to the of option is now treated as a CSS selector in version 1.13.0. A workaround is to not accept the value of the of option from untrusted sources. For example, invoking the following code:

$( "#element" ).position( {
  my: "left top",
  at: "right bottom",
  of: "<img onerror='doEvilThing()' src='/404' />",
  collision: "none"
} );

will call the doEvilThing() function.

Recommendations To resolve the issue, update to jQuery UI version 1.13.0 or later. As a temporary workaround, consider not accepting the value of the of option from untrusted sources. Restrict access to the .position() util to minimize the risk of exploitation. Avoid using the of option in the affected API endpoint until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALSA-2025_1210

ALSA-2025_1215

ALSA-2025_1300

ALSA-2025_1301

ALSA-2025_1306

ALSA-2025_1309

ALSA-2025_1314

ALSA-2025_1329

ALSA-2025_1338

ALSA-2025_1346

ALSA-2025_16880

ALT-PU-2023-6282

ALT-PU-2023-6850

BDU:2023-07871

BIT-DRUPAL-2021-41184

CVE-2021-41184

DLA-3230-1

DLA-3551-1

GHSA-GPQQ-952Q-5327

RHSA-2022:4711

SUSE-SU-2022:1729-1

USN-5181-1

USN-6419-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Ubuntu

Jquery Ui

PT-2021-7968 · Jquery-Ui+5 · Jquery Ui+5

CVE-2021-41184

Weakness Enumeration

Related Identifiers

Affected Products

References · 90