Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
  • Date: Wed, 10 Aug 2022 16:57:42 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0CCDA6113D
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E4CF261159
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EC1754046B
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 390EB4017B
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-052

Project: jQuery UI Checkboxradio [1]
Version: 8.x-1.38.x-1.28.x-1.18.x-1.0
Date: 2022-August-10
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability: Cross site scripting

Description: 
jQuery UI is a third-party library used by Drupal. The jQuery UI
Checkboxradio module provides the jQuery UI Checkboxradio library (which was
previously in Drupal 8 core, but has since been removed from core and moved
to this module).

As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed
following security issue that may affect sites using the jQuery UI
Checkboxradio module:

* CVE-2022-31160:
XSS when refreshing a checkboxradio with an HTML-like initial text label

Solution: 
Install the latest version. If you use the jQuery UI Checkboxradio module for
Drupal 9, upgrade to:

* jQuery UI Checkboxradio 8.x-1.4. [3]

Reported By: 
* Benji Fisher [4], provisional member of the Drupal Security Team

Fixed By: 
* Benji Fisher [5], provisional member of the Drupal Security Team
* xjm [6] of the Drupal Security Team
* Lauri Eskola [7], provisional member of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team

Coordinated By: 
* xjm [9] of the Drupal Security Team


[1] https://www.drupal.org/project/jquery_ui_checkboxradio
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jquery_ui_checkboxradio/releases/8.x-1.4
[4] https://www.drupal.org/user/683300
[5] https://www.drupal.org/user/683300
[6] https://www.drupal.org/user/65776
[7] https://www.drupal.org/user/1078742
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/65776

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052, security-news, 10.08.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang