CVE-2021-41184
MEDIUMCVSS 6.1/10EPSS 42.85%
Last modified
CVE-2021-41184 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. EPSS estimates a 42.85% chance of exploitation in the next 30 days.
Description
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jqueryui | Jquery Ui | < 1.13.0 |
| Fedoraproject | Fedora | 33 |
| Fedoraproject | Fedora | 34 |
| Fedoraproject | Fedora | 35 |
| Fedoraproject | Fedora | 36 |
| Netapp | H300s Firmware | All versions |
| Netapp | H500s Firmware | All versions |
| Netapp | H700s Firmware | All versions |
| Netapp | H300e Firmware | All versions |
| Netapp | H500e Firmware | All versions |
| Netapp | H700e Firmware | All versions |
| Netapp | H410s Firmware | All versions |
| Netapp | H410c Firmware | All versions |
| Drupal | Drupal | >= 7.0, < 7.86 |
| Drupal | Drupal | >= 9.2.0, < 9.2.11 |
| Drupal | Drupal | >= 9.3.0, < 9.3.3 |
| Tenable | Tenable.Sc | < 5.21.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Express | < 22.1.1 |
| Oracle | Banking Platform | 2.9.0 |
| Oracle | Banking Platform | 2.12.0 |
| Oracle | Big Data Spatial And Graph | < 23.1 |
| Oracle | Big Data Spatial And Graph | 23.1 |
| Oracle | Communications Interactive Session Recorder | 6.4 |
| Oracle | Communications Operations Monitor | 4.3 |
| Oracle | Communications Operations Monitor | 4.4 |
| Oracle | Communications Operations Monitor | 5.0 |
| Oracle | Hospitality Inventory Management | 9.1.0 |
| Oracle | Hospitality Materials Control | 18.1 |
| Oracle | Hospitality Suite8 | >= 8.11.0, <= 8.14.0 |
| Oracle | Hospitality Suite8 | 8.10.2 |
| Oracle | Jd Edwards Enterpriseone Tools | <= 9.2.6.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.59 |
| Oracle | Policy Automation | >= 12.2.0, <= 12.2.25 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Primavera Unifier | 20.12 |
| Oracle | Primavera Unifier | 21.12 |
| Oracle | Rest Data Services | < 22.1.1 |
| Oracle | Rest Data Services | 22.1.1 |
| Oracle | Weblogic Server | 12.2.1.3.0 |
| Oracle | Weblogic Server | 12.2.1.4.0 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
References
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/Release Notes, Vendor Advisory
- https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280Patch, Vendor Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327Mitigation, Patch, Vendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211118-0004/Third Party Advisory
- https://www.drupal.org/sa-core-2022-001Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2022-09Patch, Release Notes, Third Party Advisory
- https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/Release Notes, Vendor Advisory
- https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280Patch, Vendor Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327Mitigation, Patch, Vendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211118-0004/Third Party Advisory
- https://www.drupal.org/sa-core-2022-001Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2022-09Patch, Release Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-41184?
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.
How severe is CVE-2021-41184?
CVE-2021-41184 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 42.85% probability of exploitation in the next 30 days.
How do I fix CVE-2021-41184?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2021-41184?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST