Debian Bug report logs -
#1015982
jqueryui: CVE-2022-31160
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#1015982
; Package src:jqueryui
.
(Sun, 24 Jul 2022 18:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Sun, 24 Jul 2022 18:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jqueryui
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for jqueryui.
CVE-2022-31160[0]:
| jQuery UI is a curated set of user interface interactions, effects,
| widgets, and themes built on top of jQuery. Versions prior to 1.13.2
| are potentially vulnerable to cross-site scripting. Initializing a
| checkboxradio widget on an input enclosed within a label makes that
| parent label contents considered as the input label. Calling
| `.checkboxradio( "refresh" )` on such a widget and the initial HTML
| contained encoded HTML entities will make them erroneously get
| decoded. This can lead to potentially executing JavaScript code. The
| bug has been patched in jQuery UI 1.13.2. To remediate the issue,
| someone who can change the initial HTML can wrap all the non-input
| contents of the `label` in a `span`.
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160
Please adjust the affected versions in the BTS as needed.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jul 25 13:16:47 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.