CVE-2016-7103
cross-site scripting vulnerability in jquery-ui
What is CVE-2016-7103 About?
Affected versions of `jquery-ui` contain a cross-site scripting (XSS) vulnerability in the `dialog` function when processing the `closeText` parameter. This allows attackers to inject malicious scripts into web pages, potentially leading to session hijacking or data theft. The vulnerability is easy to exploit by supplying crafted user input.
Affected Software
- jquery-ui
- <1.12.0
- jquery-ui-rails
- <6.0.0
- org.webjars.npm:jquery-ui
- <1.12.0
- jQuery.UI.Combined
- <1.12.0
Technical Details
The `jquery-ui` library, specifically in versions prior to 1.12.0, is susceptible to a cross-site scripting (XSS) vulnerability. This flaw resides within the `dialog` function when handling the `closeText` parameter. If an application directly uses user-supplied input as the value for the `closeText` parameter without proper sanitization, an attacker can inject malicious script code. When the dialog is subsequently rendered by a vulnerable web application, the injected script will be executed in the context of the user's browser. This allows the attacker to bypass the Same-Origin Policy and perform actions such as stealing session cookies, defacing the website, redirecting the user to malicious sites, or performing arbitrary actions on behalf of the user within the application.
What is the Impact of CVE-2016-7103?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement of web content, redirection to malicious websites, or theft of sensitive user data.
What is the Exploitability of CVE-2016-7103?
Exploitation of this XSS vulnerability is relatively straightforward and requires minimal complexity. The primary prerequisite is that the target web application must accept untrusted user input and supply it directly to the `closeText` parameter of the jQuery-UI `dialog` function without adequate sanitization. No specific authentication or elevated privileges are required for the attacker; the attack is conducted remotely through a web browser interactions. An attacker typically crafts a malicious URL or input field that, when processed by the vulnerable application, injects the XSS payload. The risk of exploitation is significantly increased in web applications that rely heavily on client-side rendering with user-controlled data and lack robust output encoding or content security policies.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-7103?
Available Upgrade Options
- jquery-ui
- <1.12.0 → Upgrade to 1.12.0
- org.webjars.npm:jquery-ui
- <1.12.0 → Upgrade to 1.12.0
- jQuery.UI.Combined
- <1.12.0 → Upgrade to 1.12.0
- jquery-ui-rails
- <6.0.0 → Upgrade to 6.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://github.com/jquery-ui-rails/jquery-ui-rails/commit/d504a40538fe5f7998439ad2f8fc5c4a1f843f1c
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://www.drupal.org/sa-core-2022-002
- http://rhn.redhat.com/errata/RHSA-2016-2932.html
- https://github.com/jquery/jquery-ui
What are Similar Vulnerabilities to CVE-2016-7103?
Similar Vulnerabilities: CVE-2017-9003 , CVE-2015-9251 , CVE-2014-0050 , CVE-2013-1764 , CVE-2012-6708
