CVE-2021-41183

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Published: Oct 26, 2021
Updated: Jun 22, 2023
CVE: CVE-2021-41183
GHSA: GHSA-j7qv-pgf6-hvh4
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
fedoraproject / fedora	36	36.x
debian / debian_linux	9.0	9.0.x
drupal / drupal	9.3.0	9.3.3
drupal / drupal	9.2.0	9.2.11
drupal / drupal	7.0	7.86
oracle / hospitality_suite8	8.10.2	8.10.2.x
oracle / weblogic_server	12.2.1.3.0	12.2.1.3.0.x
oracle / agile_plm	9.3.6	9.3.6.x
oracle / weblogic_server	12.2.1.4.0	12.2.1.4.0.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / weblogic_server	14.1.1.0.0	14.1.1.0.0.x
oracle / banking_platform	2.9.0	2.9.0.x
oracle / primavera_gateway	19.12.0	19.12.0.x
oracle / primavera_gateway	17.7	17.12.x
oracle / primavera_gateway	18.8.0	18.8.0.x
oracle / hospitality_inventory_management	9.1.0	9.1.0.x
oracle / communications_interactive_session_recorder	6.4	6.4.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / communications_operations_monitor	4.3	4.3.x
oracle / primavera_gateway	20.12.0	20.12.0.x
oracle / banking_platform	2.12.0	2.12.0.x
oracle / communications_operations_monitor	4.4	4.4.x
oracle / communications_operations_monitor	5.0	5.0.x
oracle / primavera_gateway	21.12.0	21.12.0.x
oracle / big_data_spatial_and_graph	23.1	23.1.x
oracle / big_data_spatial_and_graph	-	23.1
oracle / mysql_enterprise_monitor	-	8.0.29.x
oracle / hospitality_suite8	8.11.0	11.14.0.x
oracle / jd_edwards_enterpriseone_tools	-	9.2.6.3.x
oracle / rest_data_services	-	22.1.1
oracle / application_express	-	22.1.1
oracle / policy_automation	12.2.0	12.2.5.x
oracle / rest_data_services	22.1.1	22.1.1.x
tenable / tenable.sc	-	5.21.0
jquery-ui	-	1.13.0
jqueryui / jquery_ui	-	1.13.0

Vulnerability Database

289,599

CVE-2021-41183