it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004
- Date: Wed, 19 Jan 2022 17:47:58 +0000 (UTC)
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-004
Project: jQuery UI Datepicker [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker
module provides the jQuery UI Datepicker library, which is not included in
Drupal 9 core.
jQuery UI was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update,
they disclosed the following security issues that may affect site using the
jQuery UI Datepicker module:
* CVE-2021-41182: XSS in the altField option of the Datepicker widget [4]
* CVE-2021-41183: XSS in *Text options of the Datepicker widget [5]
Solution:
Install the latest version:
* If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to
jQuery UI Datepicker 8.x-1.2 [6]
Reported By:
* Lauri Eskola [7]
Fixed By:
* Andrei Ivnitskii [8]
* Ben Mullins [9]
* Lauri Eskola [10]
[1] https://www.drupal.org/project/jquery_ui_datepicker
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
[5]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[6] https://www.drupal.org/project/jquery_ui_datepicker/releases/8.x-1.2
[7] https://www.drupal.org/user/1078742
[8] https://www.drupal.org/user/3547706
[9] https://www.drupal.org/user/2369194
[10] https://www.drupal.org/user/1078742
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004, security-news, 19.01.2022
Archiv bereitgestellt durch MHonArc 2.6.24.