CVE-2022-31160: jQuery UI contains potential XSS vulnerability when refreshing a checkboxradio with an HTML-like initial text label
First published: Mon Jul 18 2022(Updated: )
### Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: ```html <label> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and calling: ```js $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); ``` will turn the initial HTML into: ```html <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> ``` and the alert will get executed. ### Patches The bug has been patched in jQuery UI 1.13.2. ### Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`: ```html <label> <input id="test-input"> <span><img src=x onerror="alert(1)"></span> </label> ``` ### References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don't find an answer, open a new issue.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jqueryui | 1.12.1+dfsg-8+deb11u2 1.13.2+dfsg-1 | |
| Jqueryui Jquery Ui Jquery | <1.13.2 | |
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| Netapp H410c Firmware | ||
| Netapp H410c | ||
| NetApp OnCommand Insight | ||
| Drupal Jquery Ui Checkboxradio Drupal | =8.x-1.0 | |
| Drupal Jquery Ui Checkboxradio Drupal | =8.x-1.1 | |
| Drupal Jquery Ui Checkboxradio Drupal | =8.x-1.2 | |
| Drupal Jquery Ui Checkboxradio Drupal | =8.x-1.3 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Debian Debian Linux | =10.0 | |
| All of | ||
| Netapp H300s Firmware | ||
| Netapp H300s | ||
| All of | ||
| Netapp H500s Firmware | ||
| Netapp H500s | ||
| All of | ||
| Netapp H700s Firmware | ||
| Netapp H700s | ||
| All of | ||
| Netapp H410s Firmware | ||
| Netapp H410s | ||
| All of | ||
| Netapp H410c Firmware | ||
| Netapp H410c | ||
| IBM Cognos Command Center | <=10.2.4.1 | |
| rubygems/jquery-ui-rails | <=7.0.0 | |
| nuget/jQuery.UI.Combined | <1.13.2 | 1.13.2 |
| maven/org.webjars.npm:jquery-ui | <1.13.2 | 1.13.2 |
| npm/jquery-ui | <1.13.2 | 1.13.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
- https://nvd.nist.gov/vuln/detail/CVE-2022-31160
- https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9
- https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
- https://www.drupal.org/sa-contrib-2022-052
- https://security.netapp.com/advisory/ntap-20220909-0007/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
- https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
- https://github.com/advisories/GHSA-h6gj-6jjq-h8g9 (Advisory)
- https://launchpad.net/bugs/cve/CVE-2022-31160
- https://security-tracker.debian.org/tracker/CVE-2022-31160
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/231462
- https://www.ibm.com/support/pages/node/6983274 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160
- https://ubuntu.com/security/CVE-2022-31160
- https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released
- https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/VERSIONS.md
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6
- https://security.netapp.com/advisory/ntap-20220909-0007
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2022-31160.
What is the impact of this vulnerability?
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label, leading to the incorrect decoding of encoded HTML entities.
How can I trigger this vulnerability?
To trigger this vulnerability, you need to initialize a checkboxradio widget on an input enclosed within a label that contains encoded HTML entities and then call `.checkboxradio( "refresh" )` on the widget.
What is the severity rating of CVE-2022-31160?
CVE-2022-31160 has a severity rating of 6.1 (Medium).
How do I fix CVE-2022-31160?
To fix CVE-2022-31160, update your jQuery UI library to version 1.13.2 or higher.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/title
- collector/ibm-support
- source/IBM
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h6gj-6jjq-h8g9
- alias/CVE-2022-31160
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/github-advisory
- package-manager/debian
- vendor/jqueryui
- canonical/jqueryui jquery ui jquery
- vendor/netapp
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp h410c firmware
- canonical/netapp h410c
- canonical/netapp oncommand insight
- vendor/drupal
- canonical/drupal jquery ui checkboxradio drupal
- version/drupal jquery ui checkboxradio drupal/8.x-1.0
- version/drupal jquery ui checkboxradio drupal/8.x-1.1
- version/drupal jquery ui checkboxradio drupal/8.x-1.2
- version/drupal jquery ui checkboxradio drupal/8.x-1.3
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- vendor/ibm
- canonical/ibm cognos command center
- version/ibm cognos command center/10.2.4.1
- package-manager/rubygems
- package-manager/nuget
- package-manager/maven
- package-manager/npm