Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.
A workaround is to not accept the value of the altField option from untrusted sources.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
| Score | Percentile |
|---|---|
| 24.08% | 96.00% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.5 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-9gj3-hwp5-pmwc ↗ |
| CVE | CVE-2021-41182 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | jquery-ui | < 1.13.0 | 1.13.0 | — |
| nuget | jQuery.UI.Combined | < 1.13.0 | 1.13.0 | — |
| maven | org.webjars.npm:jquery-ui | < 1.13.0 | 1.13.0 | — |
| rubygems | jquery-ui-rails | < 7.0.0 | 7.0.0 | — |