View online: https://www.drupal.org/sa-core-2022-001 Project: Drupal core [1] Date: 2022-January-19 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2] Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7: * CVE-2021-41183: XSS in the of option of the .position() util [4] It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal. This advisory is not covered by Drupal Steward [5]. Solution: Install the latest version: * If you are using Drupal 9.3, update to Drupal 9.3.3 [6]. * If you are using Drupal 9.2, update to Drupal 9.2.11 [7]. * If you are using Drupal 7, update to Drupal 7.86 [8]. All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life [9]. Reported By: * Lauri Eskola [10] Fixed By: * Lauri Eskola [11] * Chris [12] of the Drupal Security Team * Drew Webber [13] of the Drupal Security Team * Alex Bronstein [14] of the Drupal Security Team * Ben Mullins [15] * xjm [16] of the Drupal Security Team * Théodore Biadala [17] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/ [4] https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 [5] https://www.drupal.org/steward [6] https://www.drupal.org/project/drupal/releases/9.3.3 [7] https://www.drupal.org/project/drupal/releases/9.2.11 [8] https://www.drupal.org/project/drupal/releases/7.86 [9] https://www.drupal.org/psa-2021-06-29 [10] https://www.drupal.org/user/1078742 [11] https://www.drupal.org/user/1078742 [12] https://www.drupal.org/user/1850070 [13] https://www.drupal.org/user/255969 [14] https://www.drupal.org/user/78040 [15] https://www.drupal.org/user/2369194 [16] https://www.drupal.org/user/65776 [17] https://www.drupal.org/user/598310