Lucene search

[email protected]NVD:CVE-2021-41184

HistoryOct 26, 2021 - 3:15 p.m.

CVE-2021-41184

2021-10-2615:15:10

CWE-79

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.004 Low

EPSS

Percentile

75.1%

JSON

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Affected configurations

NVD

Node

jqueryuijquery_uiRange<1.13.0jquery

Node

fedoraprojectfedoraMatch33

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

Node

netapph300s_firmwareMatch-

AND

netapph300sMatch-

Node

netapph500s_firmwareMatch-

AND

netapph500sMatch-

Node

netapph700s_firmwareMatch-

AND

netapph700sMatch-

Node

netapph300eMatch-

AND

netapph300e_firmwareMatch-

Node

netapph500eMatch-

AND

netapph500e_firmwareMatch-

Node

netapph700eMatch-

AND

netapph700e_firmwareMatch-

Node

netapph410sMatch-

AND

netapph410s_firmwareMatch-

Node

netapph410cMatch-

AND

netapph410c_firmwareMatch-

Node

drupaldrupalRange7.0–7.86

drupaldrupalRange9.2.0–9.2.11

drupaldrupalRange9.3.0–9.3.3

Node

tenabletenable.scRange<5.21.0

Node

oracleagile_plmMatch9.3.6

oracleapplication_expressRange<22.1.1

oraclebanking_platformMatch2.9.0

oraclebanking_platformMatch2.12.0

oraclebig_data_spatial_and_graphRange<23.1

oraclebig_data_spatial_and_graphMatch23.1

oraclecommunications_interactive_session_recorderMatch6.4

oraclecommunications_operations_monitorMatch4.3

oraclecommunications_operations_monitorMatch4.4

oraclecommunications_operations_monitorMatch5.0

oraclehospitality_inventory_managementMatch9.1.0

oraclehospitality_materials_controlMatch18.1

oraclehospitality_suite8Range8.11.0–8.14.0

oraclehospitality_suite8Match8.10.2

oraclejd_edwards_enterpriseone_toolsRange≤9.2.6.3

oraclepeoplesoft_enterprise_peopletoolsMatch8.58

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

oraclepolicy_automationRange12.2.0–12.2.25

oracleprimavera_unifierRange17.7–17.12

oracleprimavera_unifierMatch18.8

oracleprimavera_unifierMatch19.12

oracleprimavera_unifierMatch20.12

oracleprimavera_unifierMatch21.12

oraclerest_data_servicesRange<22.1.1-

oraclerest_data_servicesMatch22.1.1-

oracleweblogic_serverMatch12.2.1.3.0

oracleweblogic_serverMatch12.2.1.4.0

oracleweblogic_serverMatch14.1.1.0.0

References

blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280

github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327

lists.debian.org/debian-lts-announce/2023/08/msg00040.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/

security.netapp.com/advisory/ntap-20211118-0004/

www.drupal.org/sa-core-2022-001

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.tenable.com/security/tns-2022-09

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.004 Low

EPSS

Percentile

75.1%

JSON

Related for NVD:CVE-2021-41184

osv7 cvelist1 checkpoint_advisories1 ubuntucve1 drupal1 redhatcve1 debiancve1 ibm26 cve1 prion1 veracode1 github1 nessus23 openvas13 ubuntu2 f51 fedora6 debian2 redhat1 oracle8