CVE-2022-31160

Published: 20 July 2022

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Priority

Cvss 3 Severity Score

6.1

Score breakdown

Status

Package	Release	Status
jqueryui Launchpad, Ubuntu, Debian	bionic	Released (1.12.1+dfsg-5ubuntu0.18.04.1~esm2) Available with Ubuntu Pro
	focal	Released (1.12.1+dfsg-5ubuntu0.20.04.1)
	jammy	Released (1.13.1+dfsg-1ubuntu0.1~esm1) Available with Ubuntu Pro
	kinetic	Ignored (end of life, was needs-triage)
	lunar	Not vulnerable (1.13.2+dfsg-1)
	mantic	Not vulnerable (1.13.2+dfsg-1)
	trusty	Not vulnerable (code not present)
	upstream	Released (1.13.2)
	xenial	Not vulnerable (code not present)

Severity score breakdown

Parameter	Value
Base score	6.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›