CVE-2021-41182
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-41182
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41182.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-41182
- Aliases
- Downstream
- Related
- Published
- 2021-10-26T15:15:10Z
- Modified
- 2025-09-19T13:15:57.520870Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the
altFieldoption of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to thealtFieldoption is now treated as a CSS selector. A workaround is to not accept the value of thealtFieldoption from untrusted sources. - References
-
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
- https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
- https://security.netapp.com/advisory/ntap-20211118-0004/
- https://www.drupal.org/sa-contrib-2022-004
- https://www.drupal.org/sa-core-2022-002
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.tenable.com/security/tns-2022-09
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
Affected packages
Git / github.com/drupal/drupal
Affected ranges
- Type
- GIT
- Repo
- https://github.com/drupal/drupal
- Events
- Type
- GIT
- Repo
- https://github.com/jquery/jquery-ui
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
7.*
7.0
7.1
7.10
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
7.19
7.2
7.20
7.21
7.22
7.23
7.24
7.25
7.26
7.27
7.28
7.29
7.3
7.30
7.31
7.32
7.33
7.34
7.35
7.36
7.37
7.38
7.39
7.4
7.40
7.41
7.42
7.43
7.44
7.5
7.50
7.51
7.52
7.53
7.54
7.55
7.56
7.57
7.58
7.59
7.6
7.60
7.61
7.62
7.63
7.64
7.65
7.66
7.67
7.68
7.69
7.7
7.70
7.71
7.72
7.73
7.74
7.75
7.76
7.77
7.78
7.79
7.8
7.80
7.81
7.82
7.83
7.84
7.85
7.9