CVE-2021-41183
ADVISORY - githubSummary
Impact
Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
showButtonPanel: true,
showOn: "both",
closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.
Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.
Workarounds
A workaround is to not accept the value of the *Text options from untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Common Weakness Enumeration (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
NIST
2.8
CVSS SCORE
6.5mediumGitHub
2.8
CVSS SCORE
6.5mediumAlpine
-
Debian
-
Ubuntu
2.8
CVSS SCORE
6.1mediumBitnami
BIT-2021-41183
-
CVSS SCORE
N/AmediumBitnami
BIT-drupal-2021-41183
2.8
CVSS SCORE
6.1mediumRed Hat
2.8
CVSS SCORE
6.5mediumintheWild
-
-