1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-GPQQ-952Q-5327

[MAVEN:GHSA-GPQQ-952Q-5327] XSS in the `of` option of the `.position()` util in jquery-ui

Severity Moderate
Affected Packages 4
Fixed Packages 4
CVEs 1
Info Packages References Vulnerabilities

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
js
$( "#element" ).position( {
my: "left top",
at: "right bottom",
of: "<img onerror='doEvilThing()' src='/404' />",
collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Package Affected Version
pkg:maven/org.webjars.npm/jquery-ui < 1.13.0
pkg:maven/jQuery.UI.Combined < 1.13.0
pkg:maven/jquery-ui-rails < 7.0.0
pkg:maven/jquery-ui < 1.13.0
Package Fixed Version
pkg:maven/org.webjars.npm/jquery-ui = 1.13.0
pkg:maven/jQuery.UI.Combined = 1.13.0
pkg:maven/jquery-ui-rails = 7.0.0
pkg:maven/jquery-ui = 1.13.0
ID
MAVEN:GHSA-GPQQ-952Q-5327
Severity
moderate
URL
https://github.com/advisories/GHSA-gpqq-952q-5327
Published
2021-10-26T14:55:12
(2 years ago)
Modified
2023-10-05T05:03:48
(11 months ago)
Rights
Maven Security Team
Other Advisories
Source # ID Name URL
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
https://nvd.nist.gov/vuln/detail/CVE-2021-41184
https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
https://security.netapp.com/advisory/ntap-20211118-0004/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
https://www.drupal.org/sa-core-2022-001
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.tenable.com/security/tns-2022-09
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://github.com/advisories/GHSA-gpqq-952q-5327
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.webjars.npm/jquery-ui org.webjars.npm jquery-ui < 1.13.0
Fixed pkg:maven/org.webjars.npm/jquery-ui org.webjars.npm jquery-ui = 1.13.0
Affected pkg:maven/jQuery.UI.Combined jQuery.UI.Combined < 1.13.0
Fixed pkg:maven/jQuery.UI.Combined jQuery.UI.Combined = 1.13.0
Affected pkg:maven/jquery-ui-rails jquery-ui-rails < 7.0.0
Fixed pkg:maven/jquery-ui-rails jquery-ui-rails = 7.0.0
Affected pkg:maven/jquery-ui jquery-ui < 1.13.0
Fixed pkg:maven/jquery-ui jquery-ui = 1.13.0
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date