CVE-2021-41182

MEDIUM

Published 2021-10-26T00:00:00.000Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-41182. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

6.5

/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.193

probability

of exploitation in the wild

There is a 19.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.950

Higher than 95.0% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Impact Metrics

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

jquery

jquery-ui

Affected Versions:

< 1.13.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

XSS in the `altField` option of the Datepicker widget in jquery-ui

GHSA-9gj3-hwp5-pmwc

Advisory Details

### Impact Accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: ```js $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); ``` will call the `doEvilThing` function. ### Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. ### Workarounds A workaround is to not accept the value of the `altField` option from untrusted sources. ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.

Affected Packages

npm jquery-ui

ECOSYSTEM: ≥0 <1.13.0

NuGet jQuery.UI.Combined

ECOSYSTEM: ≥0 <1.13.0

RubyGems jquery-ui-rails

ECOSYSTEM: ≥0 <7.0.0

Maven org.webjars.npm:jquery-ui

ECOSYSTEM: ≥0 <1.13.0

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

WEB https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-41182

WEB https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63

WEB https://www.tenable.com/security/tns-2022-09

WEB https://www.oracle.com/security-alerts/cpujul2022.html

WEB https://www.oracle.com/security-alerts/cpuapr2022.html

WEB https://www.drupal.org/sa-core-2022-002

WEB https://www.drupal.org/sa-contrib-2022-004

WEB https://security.netapp.com/advisory/ntap-20211118-0004

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3

WEB https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

WEB https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html

WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ui-rails/CVE-2021-41182.yml

PACKAGE https://github.com/jquery/jquery-ui

WEB https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released

Advisory provided by GitHub Security Advisory Database. Published: October 26, 2021, Modified: October 27, 2021

References

https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc

https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63

https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/

https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html

https://www.drupal.org/sa-core-2022-002

https://www.oracle.com/security-alerts/cpuapr2022.html

https://security.netapp.com/advisory/ntap-20211118-0004/

https://www.drupal.org/sa-contrib-2022-004

https://www.oracle.com/security-alerts/cpujul2022.html

https://www.tenable.com/security/tns-2022-09

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/

https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Published: 2021-10-26T00:00:00.000Z

Last Modified: 2025-02-13T16:28:30.239Z

Copied to clipboard!

CVE-2021-41182

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

Related News

Affected Products

jquery-ui

Affected Versions:

GitHub Security Advisories

XSS in the `altField` option of the Datepicker widget in jquery-ui

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!