6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41184

GHSA ID

GHSA-gpqq-952q-5327

EPSS Score

0.96232%

CWE

CWE-79

Published

10/26/2021

Updated

10/5/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41184

CVE-2021-41184:
XSS in the `of` option of the `.position()` util in jquery-ui

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41184

GHSA ID

GHSA-gpqq-952q-5327

EPSS Score

0.96232%

CWE

CWE-79

Published

10/26/2021

Updated

10/5/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jquery-ui	npm	< 1.13.0	1.13.0
org.webjars.npm:jquery-ui	maven	< 1.13.0	1.13.0
jQuery.UI.Combined	nuget	< 1.13.0	1.13.0
jquery-ui-rails	rubygems	< 7.0.0	7.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Imp**t ****ptin* t** v*lu* o* t** `o*` option o* t** [`.position()`](*ttps://*pi.jqu*ryui.*om/position/) util *rom untrust** sour**s m*y *x**ut* untrust** *o**. *or *x*mpl*, invokin* t** *ollowin* *o**: ```js $( "#*l*m*nt" ).position( { my: "l**

Reasoning

No *n*lysis *v*il**l*

6.5

Basic Information

Concerned about an active attack path?

CVE-2021-41184: XSS in the `of` option of the `.position()` util in jquery-ui

Impact

Patches

Workarounds

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-41184:
XSS in the `of` option of the `.position()` util in jquery-ui

Vulnerability Intelligence
Miggo AI