Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-gpqq-952q-5327

GitHub Security Advisory

XSS in the `of` option of the `.position()` util in jquery-ui

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
Accepting the value of the `of` option of the [`.position()`](https://api.jqueryui.com/position/) util from untrusted sources may execute untrusted code. For example, invoking the following code:
```js
$( "#element" ).position( {
my: "left top",
at: "right bottom",
of: "<img onerror='doEvilThing()' src='/404' />",
collision: "none"
} );
```
will call the `doEvilThing()` function.

### Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector.

### Workarounds
A workaround is to not accept the value of the `of` option from untrusted sources.

### For more information
If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.

Affected Packages

npm jquery-ui
Affected versions: 0 (fixed in 1.13.0)
Maven org.webjars.npm:jquery-ui
Affected versions: 0 (fixed in 1.13.0)
NuGet jQuery.UI.Combined
Affected versions: 0 (fixed in 1.13.0)
RubyGems jquery-ui-rails
Affected versions: 0 (fixed in 7.0.0)

Related CVEs

CVE-2021-41184

Key Information

GHSA ID
GHSA-gpqq-952q-5327
Published
October 26, 2021 2:55 PM
Last Modified
October 4, 2022 9:36 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
jquery-ui
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 30, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.