jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 - Security-news

19 Jan 2022


      View online: https://www.drupal.org/sa-contrib-2022-004
Project: jQuery UI Datepicker [1]
Date: 2022-January-19
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Scripting
Description: 
jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker
module provides the jQuery UI Datepicker library, which is not included in
Drupal 9 core.
jQuery UI was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development,
and released a jQuery UI 1.13.0 [3] version. As part of this 1.13.0 update,
they disclosed the following security issues that may affect site using the
jQuery UI Datepicker module:
* CVE-2021-41182: XSS in the altField option of the Datepicker widget [4]
   * CVE-2021-41183: XSS in *Text options of the Datepicker widget [5]
Solution: 
Install the latest version:
* If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to
     jQuery UI Datepicker 8.x-1.2 [6]
Reported By: 
   * Lauri Eskola [7]
Fixed By: 
   * Andrei Ivnitskii [8]
   * Ben Mullins [9]
   * Lauri Eskola [10]
[1] https://www.drupal.org/project/jquery_ui_datepicker
[2] https://www.drupal.org/security-team/risk-levels
[3] https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/
[4]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
[5]
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
[6] https://www.drupal.org/project/jquery_ui_datepicker/releases/8.x-1.2
[7] https://www.drupal.org/user/1078742
[8] https://www.drupal.org/user/3547706
[9] https://www.drupal.org/user/2369194
[10] https://www.drupal.org/user/1078742