CVE-2016-7103

Exp

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Published: 2017-03-15 Last update: 2026-05-13 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2016-7103 is rated High Exploit Risk (68.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.78%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2016-7103

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2016-7103

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-24 1.40% 1.78% +0.38%
2 2026-03-04 1.56% 1.40% -0.16%
3 2026-03-01 1.56%

Full EPSS history (31 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2016-7103

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.1 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
 2.8 2.7 [email protected]
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2016-7103

GitHub Security Advisory for CVE-2016-7103

GHSA-hpcf-8vf9-q4gj · Severity: medium · Ecosystem: npm — jQuery-UI vulnerable to Cross-site Scripting in dialog closeText

OS Trackers for CVE-2016-7103

vendor priority summary link
alpine CVE-2016-7103: 1 source package rows (drupal7); 5 state rows across 5 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, edge-community); fixed 5, open 0. https://security.alpinelinux.org/vuln/CVE-2016-7103
debian not yet assigned CVE-2016-7103 not yet assigned priority: Debian including 1 source packages (jqueryui), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2016-7103
redhat low https://access.redhat.com/security/cve/CVE-2016-7103
suse medium CVE-2016-7103 severity moderate: SUSE including 7 source package names (python-XStatic-jquery-ui-1.11.0.1-2.3.1, python310-XStatic-jquery-ui-1.13.0.1-1.15, …), 7 product×package rows across 2 product lines (SUSE OpenStack Cloud 7, openSUSE Tumbleweed): Fixed 7. https://www.suse.com/security/cve/CVE-2016-7103/
ubuntu medium CVE-2016-7103 medium priority: Ubuntu including 1 source packages (jqueryui), 19 status rows across 19 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, precise, trusty, upstream, xenial, yakkety, zesty): not-affected 12, ignored 4, released 3. https://ubuntu.com/security/CVE-2016-7103

Affected software / configurations for CVE-2016-7103

Vendor Product Version Raw CPE
jqueryui jquery_ui >= 1.10.0, <= 1.11.4 cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:*:*:*
oracle application_express < 19.1 cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
oracle business_intelligence 12.2.1.3.0 cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*
oracle business_intelligence 12.2.1.4.0 cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*
oracle hospitality_cruise_fleet_management 9.0.11 cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*
oracle oss_support_tools < 2.12.42 cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:*
oracle oss_support_tools 2.12.42 cpe:2.3:a:oracle:oss_support_tools:2.12.42:*:*:*:*:*:*:*
oracle primavera_unifier >= 16.0, <= 16.2 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
oracle primavera_unifier >= 17.0, <= 17.12.4 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
oracle primavera_unifier >= 18.0, <= 18.8.4 cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
oracle siebel_ui_framework <= 21.2 cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
oracle weblogic_server 10.3.6.0.0 cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.1.3.0.0 cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.3.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
fedoraproject fedora 30 cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
fedoraproject fedora 35 cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
fedoraproject fedora 36 cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
netapp snapcenter cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
redhat openstack 7.0 cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*
redhat openstack 8 cpe:2.3:a:redhat:openstack:8:*:*:*:*:*:*:*
redhat openstack 9 cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*
juniper junos 21.2 cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

References for CVE-2016-7103

URL Tags
http://rhn.redhat.com/errata/RHSA-2016-2932.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2933.html Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0161.html Third Party Advisory VDB Entry
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html Patch Third Party Advisory
http://www.securityfocus.com/bid/104823 Broken Link Third Party Advisory VDB Entry
https://github.com/jquery/api.jqueryui.com/issues/281 Exploit Issue Tracking Patch Third Party Advisory
https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6 Patch Third Party Advisory
https://jqueryui.com/changelog/1.12.0/ Release Notes Vendor Advisory
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ Mailing List Third Party Advisory
https://nodesecurity.io/advisories/127 Third Party Advisory
https://security.netapp.com/advisory/ntap-20190416-0007/ Third Party Advisory
https://www.drupal.org/sa-core-2022-002 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch Third Party Advisory
https://www.tenable.com/security/tns-2016-19 Third Party Advisory
cvelogic Threat Intelligence