Vulnerability Description
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jqueryui | Jquery Ui | < 1.13.2 |
| Netapp | H300S Firmware | - |
| Netapp | H300S | - |
| Netapp | H500S Firmware | - |
| Netapp | H500S | - |
| Netapp | H700S Firmware | - |
| Netapp | H700S | - |
| Netapp | H410S Firmware | - |
| Netapp | H410S | - |
| Netapp | H410C Firmware | - |
| Netapp | H410C | - |
| Netapp | Oncommand Insight | - |
| Drupal | Jquery Ui Checkboxradio | 8.x-1.0 |
| Fedoraproject | Fedora | 35 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/Release NotesVendor Advisory
- https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020baPatchThird Party Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9ExploitMitigationRelease Notes
- https://lists.debian.org/debian-lts-announce/2022/12/msg00015.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20220909-0007/Third Party Advisory
- https://www.drupal.org/sa-contrib-2022-052Third Party Advisory
- https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/Release NotesVendor Advisory
- https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020baPatchThird Party Advisory
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9ExploitMitigationRelease Notes
- https://lists.debian.org/debian-lts-announce/2022/12/msg00015.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2022-31160?
CVE-2022-31160 is a vulnerability with a CVSS score of 6.1 (MEDIUM). jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializin...
How severe is CVE-2022-31160?
CVE-2022-31160 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31160?
Check the references section above for vendor advisories and patch information. Affected products include: Jqueryui Jquery Ui, Netapp H300S Firmware, Netapp H300S, Netapp H500S Firmware, Netapp H500S.