6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41183

GHSA ID

GHSA-j7qv-pgf6-hvh4

EPSS Score

0.80507%

CWE

CWE-79

Published

10/26/2021

Updated

9/26/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41183

CVE-2021-41183: XSS in `*Text` options of the Datepicker widget in jquery-ui

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41183

GHSA ID

GHSA-j7qv-pgf6-hvh4

EPSS Score

0.80507%

CWE

CWE-79

Published

10/26/2021

Updated

9/26/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jquery-ui	npm	< 1.13.0	1.13.0
org.webjars.npm:jquery-ui	maven	< 1.13.0	1.13.0
jQuery.UI.Combined	nuget	< 1.13.0	1.13.0
jquery-ui-rails	rubygems	< 7.0.0	7.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Imp**t ****ptin* t** v*lu* o* v*rious `*T*xt` options o* t** **t*pi*k*r wi***t *rom untrust** sour**s m*y *x**ut* untrust** *o**. *or *x*mpl*, initi*lizin* t** **t*pi*k*r in t** *ollowin* w*y: ```js $( "#**t*pi*k*r" ).**t*pi*k*r( { s*ow*uttonP*n

Reasoning

No *n*lysis *v*il**l*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-41183: XSS in `*Text` options of the Datepicker widget in jquery-ui

Impact

Patches

Workarounds

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI