Vulnerability Details : CVE-2022-31160
Potential exploit
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-31160
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:*
- cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:*
- cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:*
- cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:*
Threat overview for CVE-2022-31160
Top countries where our scanners detected CVE-2022-31160
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-31160 148,714
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-31160!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-31160
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31160
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
GitHub, Inc. | |
3.5
|
LOW | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-31160
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31160
-
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
XSS when refreshing a checkboxradio with an HTML-like initial text label · Advisory · jquery/jquery-ui · GitHubExploit;Mitigation;Release Notes;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220909-0007/
CVE-2022-31160 jQuery Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
Checkboxradio: Don't re-evaluate text labels as HTML · jquery/jquery-ui@8cc5bae · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
[SECURITY] Fedora 36 Update: js-jquery-ui-1.13.2-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
jQuery UI 1.13.2 released | jQuery UI BlogRelease Notes;Vendor Advisory
-
https://www.drupal.org/sa-contrib-2022-052
jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052 | Drupal.orgThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
[SECURITY] [DLA 3230-1] jqueryui security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.2-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
[SECURITY] Fedora 37 Update: js-jquery-ui-1.13.2-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to