7 matches found
CVE-2021-41182
CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...
CVE-2021-41184
CVE-2021-41184 describes an XSS in jQuery-UI before 1.13.0 where untrusted input passed to the of option of the .position() utility could lead to code execution. The connected documents confirm the issue affects jQuery-UI embedded in other software (e.g., OTRS/IU contexts) and state the fix is to...
CVE-2022-31160
CVE-2022-31160 affects jQuery UI versions prior to 1.13.2. The issue occurs when initializing a checkboxradio widget on an input inside a label; the label contents can be treated as the input label, and refreshing with .checkboxradio("refresh") on such a widget may decode encoded HTML entities in...
CVE-2016-7103
CVE-2016-7103 is a cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0, exploitable via the closeText parameter of the Dialog widget. The issue allows remote script/HTML injection. Remediation per connected documents is to upgrade to jQuery UI 1.12.0 or later (fixed version).
CVE-2021-41183
CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...
CVE-2012-6662
CVE-2012-6662 is a cross-site scripting (XSS) vulnerability in the default content option of jquery.ui.tooltip.js (Tooltip widget) in jQuery UI before 1.10.0. The issue allows remote attackers to inject arbitrary script/HTML via the title attribute, exploitable through the autocomplete combo box ...
CVE-2010-5312
CVE-2010-5312 is a cross-site scripting (XSS) vulnerability in the jQuery UI Dialog widget (jquery.ui.dialog.js) where the title option for the dialog could be attacker-controlled to inject arbitrary script/HTML. It affects jQuery UI prior to 1.10.0. Public disclosures across Debian, Fedora, Red ...