CVE-2021-41182
Untrusted code execution vulnerability in jquery-ui
What is CVE-2021-41182 About?
This vulnerability allows for untrusted code execution due to improper handling of the `altField` option in the Datepicker widget. Attackers can inject malicious code via this option, leading to arbitrary code execution. Exploitation is relatively easy if the `altField` value is sourced from untrusted input.
Affected Software
- jquery-ui
- <1.13.0
- jQuery.UI.Combined
- <1.13.0
- jquery-ui-rails
- <7.0.0
- org.webjars.npm:jquery-ui
- <1.13.0
Technical Details
The Datepicker widget in jQuery UI versions prior to 1.13.0 does not properly sanitize or validate the value provided for the `altField` option. When an attacker provides a string value containing executable code, such as `<img onerror='doEvilThing()' src='/404' />`, this code is directly executed by the browser because the `altField`'s content is processed without proper sanitization. This allows for injection of JavaScript or other client-side code, leading to client-side arbitrary code execution.
What is the Impact of CVE-2021-41182?
Successful exploitation may allow attackers to execute arbitrary code within the context of the user's browser, leading to session hijacking, data theft, defacement, or further client-side attacks.
What is the Exploitability of CVE-2021-41182?
Exploitation requires that an application initializes the jQuery UI Datepicker widget with the `altField` option whose value originates from an untrusted source, such as user input or parameters. The complexity is low as direct injection of an HTML string containing event handlers is sufficient. There are no specific authentication or privilege requirements on the victim's application, as it is a client-side vulnerability. The attack can be performed remotely by tricking a user into interacting with a malicious page or by directly injecting the payload into a vulnerable application's input field. The primary risk factor is the application's reliance on untrusted input for UI component configuration.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| aredspy | Link | Some test files to make a good nuclei template for a JQuery UI XSS vuln |
| aredspy | Link | PoC for CVE-2021-41182 |
What are the Available Fixes for CVE-2021-41182?
Available Upgrade Options
- org.webjars.npm:jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jquery-ui-rails
- <7.0.0 → Upgrade to 7.0.0
- jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jQuery.UI.Combined
- <1.13.0 → Upgrade to 1.13.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.drupal.org/sa-core-2022-002
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-41182
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://www.tenable.com/security/tns-2022-09
What are Similar Vulnerabilities to CVE-2021-41182?
Similar Vulnerabilities: CVE-2017-9805 , CVE-2016-1000000 , CVE-2015-0235 , CVE-2014-0474 , CVE-2013-1996
