jqueryui jquery-ui CVE-2022-31160 vulnerability in Jqueryui and Other Products
Published on July 20, 2022

jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label

product logo product logo product logo product logo product logo product logo product logo
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-31160 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-31160. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2022-31160 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2022-31160

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-31160 are published in these products:

Jqueryui Jquery Ui
 
NetApp Oncommand Insight
 
Drupal Jquery Ui Checkboxradio
 
Fedora Project Fedora
 
Debian Linux
 
Canonical Ubuntu Linux
 
Oracle
 

Affected Versions

jquery-ui Version < 1.13.2 is affected by CVE-2022-31160

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-31160

Package Manager Vulnerable Package Versions Fixed In
npm jquery-ui < 1.13.2 1.13.2

Exploit Probability

EPSS
10.18%
Percentile
93.02%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.