CVE-2021-41183
Cross-Site Scripting (XSS) vulnerability in jquery-ui (npm)
What is CVE-2021-41183 About?
This Cross-Site Scripting (XSS) vulnerability in jQuery UI's Datepicker widget allows attackers to execute arbitrary JavaScript if certain 'Text' options are populated with untrusted input. The impact is client-side code execution, typically leading to session hijacking or defacement. Exploitation is relatively easy if an application directly uses untrusted input in these Datepicker options.
Affected Software
- jquery-ui
- <1.13.0
- org.webjars.npm:jquery-ui
- <1.13.0
- jquery-ui-rails
- <7.0.0
- jQuery.UI.Combined
- <1.13.0
Technical Details
The Datepicker widget in jQuery UI's 'Text' options (e.g., closeText, currentText, prevText, nextText, buttonText, appendText) were vulnerable to Cross-Site Scripting (XSS). Prior to the fix in version 1.13.0, these options were not properly sanitized and were rendered as HTML. If an application initialized the Datepicker with values for these options obtained directly from untrusted user input without sanitization, an attacker could inject malicious script tags (e.g., <script>doEvilThing()</script>). When the Datepicker UI was rendered or interacted with, the browser would parse and execute this injected JavaScript within the context of the user's browser, leading to XSS.
What is the Impact of CVE-2021-41183?
Successful exploitation may allow attackers to execute arbitrary client-side script code in the context of the user's browser, potentially leading to session hijacking, defacement of the affected web page, or redirection to malicious sites.
What is the Exploitability of CVE-2021-41183?
Exploitation is straightforward if an application directly uses untrusted input for the affected Datepicker options. No specific authentication or high privilege is required beyond the ability to supply input that directly influences these options, typically through web forms or URL parameters. This is a remote, client-side vulnerability. The primary constraint is that the application must be vulnerable to injecting user-controlled data directly into the Datepicker configuration. Risk factors increased if the application did not perform robust input validation and sanitization on data intended for these configuration fields. Attackers can leverage typical XSS attack vectors to deliver malicious payloads.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-41183?
About the Fix from Resolved Security
Available Upgrade Options
- jquery-ui-rails
- <7.0.0 → Upgrade to 7.0.0
- org.webjars.npm:jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jquery-ui
- <1.13.0 → Upgrade to 1.13.0
- jQuery.UI.Combined
- <1.13.0 → Upgrade to 1.13.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.drupal.org/sa-core-2022-002
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://bugs.jqueryui.com/ticket/15284
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://www.tenable.com/security/tns-2022-09
What are Similar Vulnerabilities to CVE-2021-41183?
Similar Vulnerabilities: CVE-2020-11022 , CVE-2020-11023 , CVE-2019-11358 , CVE-2017-1000048 , CVE-2016-10706
