GHSA-hpcf-8vf9-q4gj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hpcf-8vf9-q4gj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hpcf-8vf9-q4gj/GHSA-hpcf-8vf9-q4gj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hpcf-8vf9-q4gj
- Aliases
- Published
- 2017-10-24T18:33:35Z
- Modified
- 2024-03-11T05:20:56.476279Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- jQuery-UI vulnerable to Cross-site Scripting in dialog closeText
- Details
-
Affected versions of
jquery-uiare vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of thecloseTextparameter in thedialogfunction.jQuery-UI is a library for manipulating UI elements via jQuery.
Version 1.11.4 has a cross site scripting (XSS) vulnerability in the
closeTextparameter of thedialogfunction. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.Recommendation
Upgrade to jQuery-UI 1.12.0 or later.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-7103
- https://github.com/jquery/api.jqueryui.com/issues/281
- https://github.com/jquery/jquery-ui/pull/1622
- https://github.com/jquery-ui-rails/jquery-ui-rails/commit/d504a40538fe5f7998439ad2f8fc5c4a1f843f1c
- https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4
- https://security.netapp.com/advisory/ntap-20190416-0007
- https://web.archive.org/web/20200227030100/http://www.securityfocus.com/bid/104823
- https://www.drupal.org/sa-core-2022-002
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://jqueryui.com/changelog/1.12.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2016-7103.yml
- https://github.com/jquery/jquery-ui
- http://rhn.redhat.com/errata/RHSA-2016-2932.html
- http://rhn.redhat.com/errata/RHSA-2016-2933.html
- http://rhn.redhat.com/errata/RHSA-2017-0161.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Affected packages
npm / jquery-ui
Package
- Name
- jquery-ui
- View open source insights on deps.dev
- Purl
- pkg:npm/jquery-ui
RubyGems / jquery-ui-rails
Package
- Name
- jquery-ui-rails
- Purl
- pkg:gem/jquery-ui-rails
Maven / org.webjars.npm:jquery-ui
Package
- Name
- org.webjars.npm:jquery-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.webjars.npm/jquery-ui
NuGet / jQuery.UI.Combined
Package
- Name
- jQuery.UI.Combined
- View open source insights on deps.dev
- Purl
- pkg:nuget/jQuery.UI.Combined