Vulnerability Details : CVE-2021-41182
Potential exploit
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-41182
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.9:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:17.11:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_inventory_management:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_suite8:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:22.1.1:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*
- cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*
Threat overview for CVE-2021-41182
Top countries where our scanners detected CVE-2021-41182
Top open port discovered on systems with this issue
80
IPs affected by CVE-2021-41182 146,530
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2021-41182!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2021-41182
39.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41182
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-41182
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2021-41182
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://www.drupal.org/sa-core-2022-002
Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 | Drupal.orgThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.0-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
[SECURITY] Fedora 36 Update: drupal7-7.92-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63
Datepicker: Make sure altField is treated as a CSS selector by mgol · Pull Request #1954 · jquery/jquery-ui · GitHubPatch;Third Party Advisory
-
https://www.tenable.com/security/tns-2022-09
[R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
jQuery UI 1.13.0 released | jQuery UI BlogRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
[SECURITY] Fedora 35 Update: drupal7-7.92-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/
[SECURITY] Fedora 34 Update: js-jquery-ui-1.13.0-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
XSS in the `altField` option of the Datepicker widget · Advisory · jquery/jquery-ui · GitHubExploit;Mitigation;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
[SECURITY] [DLA-2889-1] drupal7 security updateMailing List;Third Party Advisory
-
https://www.drupal.org/sa-contrib-2022-004
Access to this page has been denied.Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/
[SECURITY] Fedora 33 Update: js-jquery-ui-1.13.0-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20211118-0004/
October 2021 jQuery Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
[SECURITY] [DLA 3551-1] otrs2 security update
Jump to