Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004
  • Date: Wed, 19 Jan 2022 17:47:58 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2022-004

Project: jQuery UI Datepicker [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker
module provides the jQuery UI Datepicker library, which is not included in
Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update,
they disclosed the following security issues that may affect site using the
jQuery UI Datepicker module:

* CVE-2021-41182: XSS in the altField option of the Datepicker widget [4]
* CVE-2021-41183: XSS in *Text options of the Datepicker widget [5]

Solution: 
Install the latest version:

* If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to
jQuery UI Datepicker 8.x-1.2 [6]

Reported By: 
* Lauri Eskola [7]

Fixed By: 
* Andrei Ivnitskii [8]
* Ben Mullins [9]
* Lauri Eskola [10]


[1] https://www.drupal.org/project/jquery_ui_datepicker
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
[5]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[6] https://www.drupal.org/project/jquery_ui_datepicker/releases/8.x-1.2
[7] https://www.drupal.org/user/1078742
[8] https://www.drupal.org/user/3547706
[9] https://www.drupal.org/user/2369194
[10] https://www.drupal.org/user/1078742

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004, security-news, 19.01.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang