// For flags

CVE-2022-31160

jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

jQuery UI es un conjunto curado de interacciones de interfaz de usuario, efectos, widgets y temas construidos sobre jQuery. Las versiones anteriores a 1.13.2, son potencialmente vulnerables a un ataque de tipo cross-site scripting. La inicialización de un widget checkboxradio en una entrada encerrada dentro de una etiqueta hace que el contenido de la etiqueta padre sea considerado como la etiqueta de entrada. Llamar a ".checkboxradio("refresh" )" en un widget de este tipo y que el HTML inicial contenga entidades HTML codificadas hará que sean decodificadas erróneamente. Esto puede conllevar a una posible ejecución de código JavaScript. El error ha sido parcheado en jQuery UI 1.13.2. Para remediar el problema, alguien que pueda cambiar el HTML inicial puede envolver todo el contenido que no sea de entrada de la "label" en un "span"

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-05-18 CVE Reserved
  • 2022-07-20 CVE Published
  • 2024-02-10 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
H300s Firmware
Search vendor "Netapp" for product "H300s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H300s
Search vendor "Netapp" for product "H300s"
--
Safe
Netapp
Search vendor "Netapp"
H500s Firmware
Search vendor "Netapp" for product "H500s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H500s
Search vendor "Netapp" for product "H500s"
--
Safe
Netapp
Search vendor "Netapp"
H700s Firmware
Search vendor "Netapp" for product "H700s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H700s
Search vendor "Netapp" for product "H700s"
--
Safe
Netapp
Search vendor "Netapp"
H410s Firmware
Search vendor "Netapp" for product "H410s Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H410s
Search vendor "Netapp" for product "H410s"
--
Safe
Netapp
Search vendor "Netapp"
H410c Firmware
Search vendor "Netapp" for product "H410c Firmware"
--
Affected
in Netapp
Search vendor "Netapp"
H410c
Search vendor "Netapp" for product "H410c"
--
Safe
Jqueryui
Search vendor "Jqueryui"
Jquery Ui
Search vendor "Jqueryui" for product "Jquery Ui"
< 1.13.2
Search vendor "Jqueryui" for product "Jquery Ui" and version " < 1.13.2"
jquery
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected
Drupal
Search vendor "Drupal"
Jquery Ui Checkboxradio
Search vendor "Drupal" for product "Jquery Ui Checkboxradio"
8.x-1.0
Search vendor "Drupal" for product "Jquery Ui Checkboxradio" and version "8.x-1.0"
drupal
Affected
Drupal
Search vendor "Drupal"
Jquery Ui Checkboxradio
Search vendor "Drupal" for product "Jquery Ui Checkboxradio"
8.x-1.1
Search vendor "Drupal" for product "Jquery Ui Checkboxradio" and version "8.x-1.1"
drupal
Affected
Drupal
Search vendor "Drupal"
Jquery Ui Checkboxradio
Search vendor "Drupal" for product "Jquery Ui Checkboxradio"
8.x-1.2
Search vendor "Drupal" for product "Jquery Ui Checkboxradio" and version "8.x-1.2"
drupal
Affected
Drupal
Search vendor "Drupal"
Jquery Ui Checkboxradio
Search vendor "Drupal" for product "Jquery Ui Checkboxradio"
8.x-1.3
Search vendor "Drupal" for product "Jquery Ui Checkboxradio" and version "8.x-1.3"
drupal
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
37
Search vendor "Fedoraproject" for product "Fedora" and version "37"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected