First published: Mon Oct 25 2021(Updated: )
### Impact Accepting the value of the `of` option of the [`.position()`](https://api.jqueryui.com/position/) util from untrusted sources may execute untrusted code. For example, invoking the following code: ```js $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); ``` will call the `doEvilThing()` function. ### Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. ### Workarounds A workaround is to not accept the value of the `of` option from untrusted sources. ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/jquery-ui-rails | <7.0.0 | 7.0.0 |
nuget/jQuery.UI.Combined | <1.13.0 | 1.13.0 |
maven/org.webjars.npm:jquery-ui | <1.13.0 | 1.13.0 |
npm/jquery-ui | <1.13.0 | 1.13.0 |
debian/jqueryui | 1.12.1+dfsg-8+deb11u2 1.13.2+dfsg-1 | |
debian/otrs2 | <=6.0.32-6 | |
IBM Security QRadar | <=7.5.0 GA | |
IBM Security QRadar | <=7.4.3 GA - 7.4.3 FP4 | |
IBM Security QRadar | <=7.3.3 GA - 7.3.3 FP10 | |
jQuery UI | <1.13.0 | |
Red Hat Fedora | =33 | |
Red Hat Fedora | =34 | |
Red Hat Fedora | =35 | |
Red Hat Fedora | =36 | |
All of | ||
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
All of | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
All of | ||
NetApp H700S | ||
NetApp H700S | ||
All of | ||
NetApp H300E | ||
NetApp H300E Firmware | ||
All of | ||
NetApp H500S Firmware | ||
NetApp H500e Firmware | ||
All of | ||
NetApp H700E | ||
NetApp H700E | ||
All of | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
All of | ||
NetApp H410C | ||
NetApp H410C Firmware | ||
Drupal | >=7.0<7.86 | |
Drupal | >=9.2.0<9.2.11 | |
Drupal | >=9.3.0<9.3.3 | |
Tenable.sc | <5.21.0 | |
Oracle Agile Product Lifecycle Management Framework | =9.3.6 | |
Oracle Application Express | <22.1.1 | |
Oracle Banking Platform | =2.9.0 | |
Oracle Banking Platform | =2.12.0 | |
Oracle Big Data Spatial and Graph | <23.1 | |
Oracle Big Data Spatial and Graph | =23.1 | |
Oracle Communications Interactive Session Recorder | =6.4 | |
Oracle Communications Operations Monitor | =4.3 | |
Oracle Communications Operations Monitor | =4.4 | |
Oracle Communications Operations Monitor | =5.0 | |
Oracle Hospitality Inventory Management | =9.1.0 | |
Oracle Hospitality Materials Control | =18.1 | |
Oracle Hospitality Suite 8 Property Interfaces | >=8.11.0<=8.14.0 | |
Oracle Hospitality Suite 8 Property Interfaces | =8.10.2 | |
Oracle JD Edwards EnterpriseOne Tools | <=9.2.6.3 | |
Oracle PeopleTools | =8.58 | |
Oracle PeopleTools | =8.59 | |
Oracle Policy Automation | >=12.2.0<=12.2.25 | |
Oracle Primavera Unifier | >=17.7<=17.12 | |
Oracle Primavera Unifier | =18.8 | |
Oracle Primavera Unifier | =19.12 | |
Oracle Primavera Unifier | =20.12 | |
Oracle Primavera Unifier | =21.12 | |
Oracle REST Data Services | <22.1.1 | |
Oracle REST Data Services | =22.1.1 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
NetApp H300S Firmware | ||
NetApp H300S Firmware | ||
NetApp H500e Firmware | ||
NetApp H500e Firmware | ||
NetApp H700S | ||
NetApp H700S | ||
NetApp H300E | ||
NetApp H300E Firmware | ||
NetApp H500S Firmware | ||
NetApp H500e Firmware | ||
NetApp H700E | ||
NetApp H700E | ||
NetApp H410S | ||
NetApp H410S Firmware | ||
NetApp H410C | ||
NetApp H410C Firmware |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41184 is classified as a medium severity vulnerability due to potential code execution from untrusted sources.
To remediate CVE-2021-41184, update jquery-ui to version 1.13.0 or later.
CVE-2021-41184 affects various versions of jquery-ui used in applications like jQuery UI Combined and jQuery UI Rails.
The vulnerability allows the execution of untrusted code due to the acceptance of malicious input in the '.position()' method.
Yes, CVE-2021-41184 can potentially lead to security breaches if exploited effectively by an attacker.