CVE-2022-31160

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-31160
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-07-20 20:15:00 UTC
Updated2023-11-07 03:47:00 UTC
DescriptionjQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Risk And Classification

Problem Types: CWE-79

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Application Drupal Jquery Ui Checkboxradio 8.x-1.0 All All All
Application Drupal Jquery Ui Checkboxradio 8.x-1.1 All All All
Application Drupal Jquery Ui Checkboxradio 8.x-1.2 All All All
Application Drupal Jquery Ui Checkboxradio 8.x-1.3 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All
Application Jqueryui Jquery Ui All All All All
Hardware Netapp H300s - All All All
Operating System Netapp H300s Firmware - All All All
Hardware Netapp H410c - All All All
Operating System Netapp H410c Firmware - All All All
Hardware Netapp H410s - All All All
Operating System Netapp H410s Firmware - All All All
Hardware Netapp H500s - All All All
Operating System Netapp H500s Firmware - All All All
Hardware Netapp H700s - All All All
Operating System Netapp H700s Firmware - All All All
Application Netapp Oncommand Insight - All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 37 Update: js-jquery-ui-1.13.2-1.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.2-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] [DLA 3230-1] jqueryui security update MLIST lists.debian.org
Checkboxradio: Don't re-evaluate text labels as HTML · jquery/jquery-ui@8cc5bae · GitHub MISC github.com
XSS when refreshing a checkboxradio with an HTML-like initial text label · Advisory · jquery/jquery-ui · GitHub CONFIRM github.com
CVE-2022-31160 jQuery Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[SECURITY] Fedora 36 Update: js-jquery-ui-1.13.2-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: js-jquery-ui-1.13.2-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Access to this page has been denied. MISC www.drupal.org
jQuery UI 1.13.2 released | jQuery UI Blog MISC blog.jqueryui.com
[SECURITY] Fedora 37 Update: js-jquery-ui-1.13.2-1.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.2-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 150676 Oracle WebLogic Server Multiple Vulnerabilities (APR-2023)
  • 181307 Debian Security Update for jqueryui (DLA 3230-1)
  • 183658 Debian Security Update for jqueryui (CVE-2022-31160)
  • 199813 Ubuntu Security Notification for jQuery UI Vulnerabilities (USN-6419-1)
  • 283327 Fedora Security Update for js (FEDORA-2022-1a01ed37e2)
  • 283328 Fedora Security Update for js (FEDORA-2022-22d8ba36d0)
  • 283423 Fedora Security Update for js (FEDORA-2022-7291b78111)
  • 87542 Oracle WebLogic Server Multiple Vulnerabilities (CPUAPR2023)
  • 995435 DotNet (Nuget) Security Update for jQuery.UI.Combined (GHSA-h6gj-6jjq-h8g9)
  • 995444 Rubygems (Rubygems) Security Update for jquery-ui-rails (GHSA-h6gj-6jjq-h8g9)
  • 995462 Java (Maven) Security Update for org.webjars.npm:jquery-ui (GHSA-h6gj-6jjq-h8g9)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report