CVE-2022-31160
HTML injection vulnerability in jquery-ui
What is CVE-2022-31160 About?
This vulnerability is an HTML injection flaw in jQuery UI that can lead to arbitrary JavaScript execution. It occurs when refreshing a checkboxradio widget if encoded HTML entities within a label are erroneously decoded. Successful exploitation allows an attacker to execute arbitrary code and is moderately complex.
Affected Software
- jquery-ui
- <1.13.2
- org.webjars.npm:jquery-ui
- <1.13.2
- jquery-ui-rails
- <=7.0.0
- jQuery.UI.Combined
- <1.13.2
Technical Details
The vulnerability lies within the jQuery UI `checkboxradio` widget. If an `input` element is enclosed within a `label` and the initial HTML contains encoded HTML entities (e.g., `<img src=x onerror="alert(1)">`), calling `.checkboxradio( "refresh" )` on the widget will erroneously decode these entities. This transformation turns the benign encoded string into active HTML elements, specifically allowing `onerror` event handlers on injected `<img>` tags to execute arbitrary JavaScript. This effectively leads to an HTML injection that can facilitate client-side code execution.
What is the Impact of CVE-2022-31160?
Successful exploitation may allow attackers to execute arbitrary JavaScript code in the context of the user's browser, leading to session hijacking, defacement of the website, unauthorized information disclosure, or redirection to malicious sites.
What is the Exploitability of CVE-2022-31160?
Exploitation requires crafting specific initial HTML with encoded entities inside a label wrapping an input, followed by a `.checkboxradio( "refresh" )` call on that input. The complexity is moderate due to the sequence of operations required. No specific authentication or privilege is required for the attacker to prepare the vulnerable HTML if content can be supplied client-side. This is a remote client-side vulnerability where the attacker needs to inject the vulnerable HTML structure. The main constraint is the application's processing of user-supplied HTML that gets wrapped in a label and then refreshed by the `checkboxradio` widget. Risk factors increase if applications allow users to submit even seemingly 'safe' HTML with encoded entities or if UI components use this specific interaction pattern with untrusted data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| CyberOne-TeamARES | Link | jquery XSS Proof of Concept (PoC) |
What are the Available Fixes for CVE-2022-31160?
Available Upgrade Options
- org.webjars.npm:jquery-ui
- <1.13.2 → Upgrade to 1.13.2
- jquery-ui
- <1.13.2 → Upgrade to 1.13.2
- jQuery.UI.Combined
- <1.13.2 → Upgrade to 1.13.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO
- https://security.netapp.com/advisory/ntap-20220909-0007
- https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6
- https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
- https://www.drupal.org/sa-contrib-2022-052
- https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
- https://security.netapp.com/advisory/ntap-20220909-0007/
What are Similar Vulnerabilities to CVE-2022-31160?
Similar Vulnerabilities: CVE-2021-41182 , GHSA-g8q2-24jh-5hpc , CVE-2016-7103 , CVE-2015-9251 , CVE-2014-9729
