ghsa-h6gj-6jjq-h8g9
Vulnerability from github
Published
2022-07-18 17:07
Modified
2024-10-28 18:16
Summary
jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
Details

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML: html <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: js $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: html <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:jquery-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "jquery-ui-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "jQuery.UI.Combined"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-18T17:07:36Z",
    "nvd_published_at": "2022-07-20T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nInitializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( \"refresh\" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.\n\nFor example, starting with the following initial secure HTML:\n```html\n\u003clabel\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u0026lt;img src=x onerror=\"alert(1)\"\u0026gt;\n\u003c/label\u003e\n```\nand calling:\n```js\n$( \"#test-input\" ).checkboxradio();\n$( \"#test-input\" ).checkboxradio( \"refresh\" );\n```\nwill turn the initial HTML into:\n```html\n\u003clabel\u003e\n\t\u003c!-- some jQuery UI elements --\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u003cimg src=x onerror=\"alert(1)\"\u003e\n\u003c/label\u003e\n```\nand the alert will get executed.\n\n### Patches\nThe bug has been patched in jQuery UI 1.13.2.\n\n### Workarounds\nTo remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`:\n```html\n\u003clabel\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u003cspan\u003e\u0026lt;img src=x onerror=\"alert(1)\"\u0026gt;\u003c/span\u003e\n\u003c/label\u003e\n```\n\n### References\nhttps://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/\n\n### For more information\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don\u0027t find an answer, open a new issue.",
  "id": "GHSA-h6gj-6jjq-h8g9",
  "modified": "2024-10-28T18:16:33Z",
  "published": "2022-07-18T17:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9"
    },
    {
      "type": "WEB",
      "url": "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jquery/jquery-ui"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220909-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2022-052"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.