[Pkg-javascript-devel] Bug#1015982: jqueryui: CVE-2022-31160
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 24 19:22:19 BST 2022
Source: jqueryui
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jqueryui.
CVE-2022-31160[0]:
| jQuery UI is a curated set of user interface interactions, effects,
| widgets, and themes built on top of jQuery. Versions prior to 1.13.2
| are potentially vulnerable to cross-site scripting. Initializing a
| checkboxradio widget on an input enclosed within a label makes that
| parent label contents considered as the input label. Calling
| `.checkboxradio( "refresh" )` on such a widget and the initial HTML
| contained encoded HTML entities will make them erroneously get
| decoded. This can lead to potentially executing JavaScript code. The
| bug has been patched in jQuery UI 1.13.2. To remediate the issue,
| someone who can change the initial HTML can wrap all the non-input
| contents of the `label` in a `span`.
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list