Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41182

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

Published

2021-10-26T15:15:10.313

Last Modified

2024-11-21T06:25:41.707

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jqueryui	jquery_ui	< 1.13.0	Yes
Operating System	fedoraproject	fedora	33	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes
Operating System	netapp	h500s_firmware	-	Yes
Hardware	netapp	h500s	-	No
Operating System	netapp	h700s_firmware	-	Yes
Hardware	netapp	h700s	-	No
Operating System	netapp	h300e_firmware	-	Yes
Hardware	netapp	h300e	-	No
Operating System	netapp	h500e_firmware	-	Yes
Hardware	netapp	h500e	-	No
Operating System	netapp	h700e_firmware	-	Yes
Hardware	netapp	h700e	-	No
Operating System	netapp	h410s_firmware	-	Yes
Hardware	netapp	h410s	-	No
Operating System	netapp	h410c_firmware	-	Yes
Hardware	netapp	h410c	-	No
Operating System	netapp	h300s_firmware	-	Yes
Hardware	netapp	h300s	-	No
Operating System	debian	debian_linux	9.0	Yes
Application	drupal	drupal	< 7.86	Yes
Application	oracle	communications_interactive_session_recorder	6.4	Yes
Application	oracle	communications_operations_monitor	4.3	Yes
Application	oracle	communications_operations_monitor	4.4	Yes
Application	oracle	communications_operations_monitor	5.0	Yes
Application	oracle	hospitality_suite8	≤ 8.14.0	Yes
Application	oracle	hospitality_suite8	8.10.2	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.29	Yes
Application	oracle	primavera_unifier	17.7	Yes
Application	oracle	primavera_unifier	17.8	Yes
Application	oracle	primavera_unifier	17.9	Yes
Application	oracle	primavera_unifier	17.10	Yes
Application	oracle	primavera_unifier	17.11	Yes
Application	oracle	primavera_unifier	17.12	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes
Application	tenable	tenable.sc	< 5.21.0	Yes
Application	oracle	agile_plm	9.3.6	Yes
Application	oracle	application_express	< 22.1.1	Yes
Application	oracle	banking_platform	2.9.0	Yes
Application	oracle	banking_platform	2.12.0	Yes
Application	oracle	big_data_spatial_and_graph	< 23.1	Yes
Application	oracle	big_data_spatial_and_graph	23.1	Yes
Application	oracle	communications_interactive_session_recorder	6.4	Yes
Application	oracle	communications_operations_monitor	4.3	Yes
Application	oracle	communications_operations_monitor	4.4	Yes
Application	oracle	communications_operations_monitor	5.0	Yes
Application	oracle	hospitality_inventory_management	9.1.0	Yes
Application	oracle	hospitality_materials_control	18.1	Yes
Application	oracle	hospitality_suite8	≤ 8.14.0	Yes
Application	oracle	hospitality_suite8	8.10.2	Yes
Application	oracle	jd_edwards_enterpriseone_tools	≤ 9.2.6.3	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.59	Yes
Application	oracle	policy_automation	≤ 12.2.25	Yes
Application	oracle	primavera_unifier	≤ 17.12	Yes
Application	oracle	primavera_unifier	18.8	Yes
Application	oracle	primavera_unifier	19.12	Yes
Application	oracle	primavera_unifier	20.12	Yes
Application	oracle	primavera_unifier	21.12	Yes
Application	oracle	rest_data_services	< 22.1.1	Yes
Application	oracle	rest_data_services	22.1.1	Yes
Application	oracle	weblogic_server	12.2.1.3.0	Yes
Application	oracle	weblogic_server	12.2.1.4.0	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ Release Notes, Vendor Advisory ([email protected])
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 Patch, Third Party Advisory ([email protected])
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc Exploit, Mitigation, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20211118-0004/ Third Party Advisory ([email protected])
https://www.drupal.org/sa-contrib-2022-004 Third Party Advisory ([email protected])
https://www.drupal.org/sa-core-2022-002 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2022-09 Third Party Advisory ([email protected])
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ Release Notes, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211118-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/sa-contrib-2022-004 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/sa-core-2022-002 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2022-09 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)