GHSA-g8q2-24jh-5hpc
Cross-site scripting (XSS) vulnerability in jquery-ui

Cross-site scripting (XSS) No known exploit

What is GHSA-g8q2-24jh-5hpc About?

This vulnerability is a Cross-site scripting (XSS) flaw in jQuery UI that allows remote attackers to inject arbitrary web scripts. Successful exploitation can lead to defacement, information disclosure, or session hijacking. It is relatively easy to exploit given the ability to manipulate the closeText parameter.

Affected Software

  • jquery-ui
    • <1.12.0
  • jQuery.UI.Combined
    • <1.12.0
  • org.webjars.npm:jquery-ui
    • <1.12.0
  • jquery-ui-rails
    • <6.0.0

Technical Details

The vulnerability exists in jQuery UI before version 1.12.0. Specifically, it allows for Cross-site scripting (XSS) due to improper handling of the `closeText` parameter within the `dialog` function. An attacker can craft a malicious input for the `closeText` parameter, embedding arbitrary web script or HTML. When a user interacts with a dialog box utilizing this manipulated parameter, the injected script will be executed in the user's browser, leading to various client-side attacks.

What is the Impact of GHSA-g8q2-24jh-5hpc?

Successful exploitation may allow attackers to inject malicious scripts into web pages viewed by other users, leading to session hijacking, defacement of the website, unauthorized information disclosure, or redirection to malicious sites.

What is the Exploitability of GHSA-g8q2-24jh-5hpc?

Exploitation of this XSS vulnerability is of medium complexity, requiring the attacker to identify a user input field that directly influences the `closeText` parameter of a jQuery UI dialog function. No authentication is strictly required if the vulnerable functionality is exposed to unauthenticated users, though it could also be exploited by authenticated users. It typically requires remote access to interact with the web application. The primary constraint is the attacker's ability to inject crafted data into the specific parameter. Risk factors that increase likelihood include applications accepting unsanitized user input into configurable jQuery UI dialog options.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-g8q2-24jh-5hpc?

Available Upgrade Options

  • jquery-ui-rails
    • <6.0.0 → Upgrade to 6.0.0
  • org.webjars.npm:jquery-ui
    • <1.12.0 → Upgrade to 1.12.0
  • jquery-ui
    • <1.12.0 → Upgrade to 1.12.0
  • jQuery.UI.Combined
    • <1.12.0 → Upgrade to 1.12.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-g8q2-24jh-5hpc?

Similar Vulnerabilities: CVE-2017-1000008 , CVE-2015-9251 , CVE-2014-9729 , CVE-2016-7103 , CVE-2011-4969

All Rights reserved 2025
Privacy Policy