Your submission was sent successfully! Close

CVE-2021-41184

Published: 26 October 2021

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
jqueryui
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

hirsute Ignored
(reached end-of-life)
impish Needed

jammy Not vulnerable
(1.13.0)
trusty Not vulnerable
(code not present)
upstream
Released (1.13.0)
xenial Ignored
(out of standard support)