CVE-2021-41183

Summary

CVE	CVE-2021-41183
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-10-26 15:15:00 UTC
Updated	2023-08-31 03:15:00 UTC
Description	jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Drupal	Drupal	All	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Application	Jquery	Jquery Ui	All	All	All	All
Application	Jqueryui	Jquery Ui	All	All	All	All
Hardware	Netapp	H300e	-	All	All	All
Operating System	Netapp	H300e Firmware	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410c	-	All	All	All
Operating System	Netapp	H410c Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500e	-	All	All	All
Operating System	Netapp	H500e Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700e	-	All	All	All
Operating System	Netapp	H700e Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Application Express	All	All	All	All
Application	Oracle	Banking Platform	2.12.0	All	All	All
Application	Oracle	Banking Platform	2.9.0	All	All	All
Application	Oracle	Big Data Spatial And Graph	All	All	All	All
Application	Oracle	Big Data Spatial And Graph	23.1	All	All	All
Application	Oracle	Communications Interactive Session Recorder	6.4	All	All	All
Application	Oracle	Communications Operations Monitor	4.3	All	All	All
Application	Oracle	Communications Operations Monitor	4.4	All	All	All
Application	Oracle	Communications Operations Monitor	5.0	All	All	All
Application	Oracle	Hospitality Inventory Management	9.1.0	All	All	All
Application	Oracle	Hospitality Suite8	8.10.2	All	All	All
Application	Oracle	Hospitality Suite8	All	All	All	All
Application	Oracle	Jd Edwards Enterpriseone Tools	All	All	All	All
Application	Oracle	Mysql Enterprise Monitor	All	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.59	All	All	All
Application	Oracle	Policy Automation	All	All	All	All
Application	Oracle	Primavera Gateway	18.8.0	All	All	All
Application	Oracle	Primavera Gateway	19.12.0	All	All	All
Application	Oracle	Primavera Gateway	20.12.0	All	All	All
Application	Oracle	Primavera Gateway	21.12.0	All	All	All
Application	Oracle	Primavera Gateway	All	All	All	All
Application	Oracle	Rest Data Services	All	All	All	All
Application	Oracle	Rest Data Services	22.1.1	All	All	All
Application	Oracle	Weblogic Server	12.2.1.3.0	All	All	All
Application	Oracle	Weblogic Server	12.2.1.4.0	All	All	All
Application	Oracle	Weblogic Server	14.1.1.0.0	All	All	All
Application	Tenable	Tenable.sc	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
#15284 (XSS Vulnerability on text options of jQuery UI datepicker) – jQuery UI	MISC	bugs.jqueryui.com
jQuery UI 1.13.0 released \| jQuery UI Blog	MISC	blog.jqueryui.com
[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Datepicker: Make sure text option are text, shorten HTML strings by mgol · Pull Request #1953 · jquery/jquery-ui · GitHub	MISC	github.com
[R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
[SECURITY] [DLA 3551-1] otrs2 security update	MISC	lists.debian.org
Access to this page has been denied.	MISC	www.drupal.org
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 \| Drupal.org	CONFIRM	www.drupal.org
FEDORA-2021-51c256bf87	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
XSS in `*Text` options of the Datepicker widget · Advisory · jquery/jquery-ui · GitHub	CONFIRM	github.com
[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Access to this page has been denied.	CONFIRM	www.drupal.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
October 2021 jQuery Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] [DLA-2889-1] drupal7 security update	MLIST	lists.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

154117 Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2022-002)
179706 Debian Security Update for jqueryui (CVE-2021-41183)
180932 Debian Security Update for drupal7 (DLA-2889-1)
181307 Debian Security Update for jqueryui (DLA 3230-1)
199813 Ubuntu Security Notification for jQuery UI Vulnerabilities (USN-6419-1)
282060 Fedora Security Update for js (FEDORA-2021-ab38307fc3)
282066 Fedora Security Update for js (FEDORA-2021-013ab302be)
282154 Fedora Security Update for js (FEDORA-2021-51c256bf87)
283227 Fedora Security Update for drupal7 (FEDORA-2022-9d655503ea)
283277 Fedora Security Update for drupal7 (FEDORA-2022-bf18450366)
283473 Fedora Security Update for drupal7 (FEDORA-2022-c4334d5277)
378883 Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)
502054 Alpine Linux Security Update for drupal7
504707 Alpine Linux Security Update for drupal7
6000085 Debian Security Update for otrs2 (DLA 3551-1)
730263 jQueryUI Cross-Site Scripting Vulnerability
730342 Drupal Core Cross-Site Scripting (XSS) Vulnerability (SA-CORE-2022-002)
980030 Nodejs (npm) Security Update for jquery-ui (GHSA-j7qv-pgf6-hvh4)
995434 DotNet (Nuget) Security Update for jQuery.UI.Combined (GHSA-j7qv-pgf6-hvh4)
995443 Rubygems (Rubygems) Security Update for jquery-ui-rails (GHSA-j7qv-pgf6-hvh4)
995920 Java (Maven) Security Update for org.webjars.npm:jquery-ui (GHSA-j7qv-pgf6-hvh4)