ghsa-h6gj-6jjq-h8g9
Vulnerability from github
Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" )
on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.
For example, starting with the following initial secure HTML:
html
<label>
<input id="test-input">
<img src=x onerror="alert(1)">
</label>
and calling:
js
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
html
<label>
<!-- some jQuery UI elements -->
<input id="test-input">
<img src=x onerror="alert(1)">
</label>
and the alert will get executed.
Patches
The bug has been patched in jQuery UI 1.13.2.
Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label
in a span
:
html
<label>
<input id="test-input">
<span><img src=x onerror="alert(1)"></span>
</label>
References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
{ "affected": [ { "package": { "ecosystem": "npm", "name": "jquery-ui" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.13.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.webjars.npm:jquery-ui" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.13.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "RubyGems", "name": "jquery-ui-rails" }, "ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "7.0.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "jQuery.UI.Combined" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.13.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-31160" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-07-18T17:07:36Z", "nvd_published_at": "2022-07-20T20:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nInitializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( \"refresh\" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.\n\nFor example, starting with the following initial secure HTML:\n```html\n\u003clabel\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u0026lt;img src=x onerror=\"alert(1)\"\u0026gt;\n\u003c/label\u003e\n```\nand calling:\n```js\n$( \"#test-input\" ).checkboxradio();\n$( \"#test-input\" ).checkboxradio( \"refresh\" );\n```\nwill turn the initial HTML into:\n```html\n\u003clabel\u003e\n\t\u003c!-- some jQuery UI elements --\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u003cimg src=x onerror=\"alert(1)\"\u003e\n\u003c/label\u003e\n```\nand the alert will get executed.\n\n### Patches\nThe bug has been patched in jQuery UI 1.13.2.\n\n### Workarounds\nTo remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`:\n```html\n\u003clabel\u003e\n\t\u003cinput id=\"test-input\"\u003e\n\t\u003cspan\u003e\u0026lt;img src=x onerror=\"alert(1)\"\u0026gt;\u003c/span\u003e\n\u003c/label\u003e\n```\n\n### References\nhttps://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/\n\n### For more information\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don\u0027t find an answer, open a new issue.", "id": "GHSA-h6gj-6jjq-h8g9", "modified": "2024-10-28T18:16:33Z", "published": "2022-07-18T17:07:36Z", "references": [ { "type": "WEB", "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31160" }, { "type": "WEB", "url": "https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9" }, { "type": "WEB", "url": "https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released" }, { "type": "WEB", "url": "https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery-ui" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220909-0007" }, { "type": "WEB", "url": "https://www.drupal.org/sa-contrib-2022-052" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.