CVE-2021-41183
MEDIUMCVSS 6.1/10EPSS 7.95%
Last modified
CVE-2021-41183 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. EPSS estimates a 7.95% chance of exploitation in the next 30 days.
Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jqueryui | Jquery Ui | < 1.13.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Fedoraproject | Fedora | 36 |
| Netapp | H300s Firmware | All versions |
| Netapp | H500s Firmware | All versions |
| Netapp | H700s Firmware | All versions |
| Netapp | H300e Firmware | All versions |
| Netapp | H500e Firmware | All versions |
| Netapp | H700e Firmware | All versions |
| Netapp | H410s Firmware | All versions |
| Netapp | H410c Firmware | All versions |
| Debian | Debian Linux | 9.0 |
| Drupal | Drupal | >= 7.0, < 7.86 |
| Drupal | Drupal | >= 9.2.0, < 9.2.11 |
| Drupal | Drupal | >= 9.3.0, < 9.3.3 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Express | < 22.1.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Big Data Spatial And Graph | < 23.1 |
| Oracle | Big Data Spatial And Graph | 23.1 |
| Oracle | Communications Interactive Session Recorder | 6.4 |
| Oracle | Communications Operations Monitor | 4.3 |
| Oracle | Communications Operations Monitor | 4.4 |
| Oracle | Communications Operations Monitor | 5.0 |
| Oracle | Hospitality Inventory Management | 9.1.0 |
| Oracle | Hospitality Suite8 | >= 8.11.0, <= 11.14.0 |
| Oracle | Hospitality Suite8 | 8.10.2 |
| Oracle | Jd Edwards Enterpriseone Tools | <= 9.2.6.3 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.29 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Policy Automation | >= 12.2.0, <= 12.2.5 |
| Oracle | Primavera Gateway | >= 17.7, <= 17.12 |
| Oracle | Primavera Gateway | 18.8.0 |
| Oracle | Primavera Gateway | 19.12.0 |
| Oracle | Primavera Gateway | 20.12.0 |
| Oracle | Primavera Gateway | 21.12.0 |
| Oracle | Rest Data Services | < 22.1.1 |
| Oracle | Rest Data Services | 22.1.1 |
| Oracle | Weblogic Server | 12.2.1.3.0 |
| Oracle | Weblogic Server | 12.2.1.4.0 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
| Tenable | Tenable.Sc | < 5.21.0 |
References
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/Release Notes, Vendor Advisory
- https://bugs.jqueryui.com/ticket/15284Issue Tracking, Vendor Advisory
- https://github.com/jquery/jquery-ui/pull/1953Patch, Third Party Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4Exploit, Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211118-0004/Third Party Advisory
- https://www.drupal.org/sa-contrib-2022-004Third Party Advisory
- https://www.drupal.org/sa-core-2022-001Third Party Advisory
- https://www.drupal.org/sa-core-2022-002Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2022-09Patch, Release Notes, Third Party Advisory
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/Release Notes, Vendor Advisory
- https://bugs.jqueryui.com/ticket/15284Issue Tracking, Vendor Advisory
- https://github.com/jquery/jquery-ui/pull/1953Patch, Third Party Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4Exploit, Mitigation, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211118-0004/Third Party Advisory
- https://www.drupal.org/sa-contrib-2022-004Third Party Advisory
- https://www.drupal.org/sa-core-2022-001Third Party Advisory
- https://www.drupal.org/sa-core-2022-002Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2022-09Patch, Release Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-41183?
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.
How severe is CVE-2021-41183?
CVE-2021-41183 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 7.95% probability of exploitation in the next 30 days.
How do I fix CVE-2021-41183?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-41183?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST