jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.1926.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
jquery jquery-ui affected
Version Status Constraints
< 1.13.0 affected

Configuration 1 [-]

cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*

Configuration 2 [-]

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 11 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 12 [-]

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 13 [-]

OR cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Configuration 14 [-]

cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*

Configuration 15 [-]

OR cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*
cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Virtualization Engine 4.4
org.ovirt.engine-root-0:4.5.0.7-9 cpe:/a:redhat:rhev_manager:4.4:el8 RHSA-2022:4711 2022-05-26T00:00:00Z

No data.

Project Subscriptions

Vendors Products
Debian Subscribe
Debian Linux Subscribe
Drupal Subscribe
Drupal Subscribe
Fedoraproject Subscribe
Fedora Subscribe
Jqueryui Subscribe
Jquery Ui Subscribe
Netapp Subscribe
H300e Subscribe
H300e Firmware Subscribe
H300s Subscribe
H300s Firmware Subscribe
H410c Subscribe
H410c Firmware Subscribe
H410s Subscribe
H410s Firmware Subscribe
H500e Subscribe
H500e Firmware Subscribe
H500s Subscribe
H500s Firmware Subscribe
H700e Subscribe
H700e Firmware Subscribe
H700s Subscribe
H700s Firmware Subscribe
Oracle Subscribe
Agile Plm Subscribe
Application Express Subscribe
Banking Platform Subscribe
Big Data Spatial And Graph Subscribe
Communications Interactive Session Recorder Subscribe
Communications Operations Monitor Subscribe
Hospitality Inventory Management Subscribe
Hospitality Materials Control Subscribe
Hospitality Suite8 Subscribe
Jd Edwards Enterpriseone Tools Subscribe
Mysql Enterprise Monitor Subscribe
Peoplesoft Enterprise Peopletools Subscribe
Policy Automation Subscribe
Primavera Unifier Subscribe
Rest Data Services Subscribe
Weblogic Server Subscribe
Redhat Subscribe
Rhev Manager Subscribe
Tenable Subscribe
Tenable.sc Subscribe
Advisories
Source ID Title
Debian DLA Debian DLA DLA-2889-1 drupal7 security update
Debian DLA Debian DLA DLA-3230-1 jqueryui security update
Debian DLA Debian DLA DLA-3551-1 otrs2 security update
Github GHSA Github GHSA GHSA-9gj3-hwp5-pmwc XSS in the `altField` option of the Datepicker widget in jquery-ui
Ubuntu USN Ubuntu USN USN-6419-1 jQuery UI vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ cve-icon cve-icon
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 cve-icon cve-icon
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-41182 cve-icon
https://security.netapp.com/advisory/ntap-20211118-0004/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-41182 cve-icon
https://www.drupal.org/sa-contrib-2022-004 cve-icon cve-icon
https://www.drupal.org/sa-core-2022-002 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
https://www.tenable.com/security/tns-2022-09 cve-icon cve-icon
History

No history.

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-02-13T16:28:30.239Z

Reserved: 2021-09-15T00:00:00.000Z

Link: CVE-2021-41182

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-10-26T15:15:10.313

Modified: 2024-11-21T06:25:41.707

Link: CVE-2021-41182

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-10-25T00:00:00Z

Links: CVE-2021-41182 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses