[Security-news] jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
security-news at drupal.org
security-news at drupal.org
Wed Aug 10 16:57:42 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-052
Project: jQuery UI Checkboxradio [1]
Version: 8.x-1.38.x-1.28.x-1.18.x-1.0
Date: 2022-August-10
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability: Cross site scripting
Description:
jQuery UI is a third-party library used by Drupal. The jQuery UI
Checkboxradio module provides the jQuery UI Checkboxradio library (which was
previously in Drupal 8 core, but has since been removed from core and moved
to this module).
As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed
following security issue that may affect sites using the jQuery UI
Checkboxradio module:
* CVE-2022-31160:
XSS when refreshing a checkboxradio with an HTML-like initial text label
Solution:
Install the latest version. If you use the jQuery UI Checkboxradio module for
Drupal 9, upgrade to:
* jQuery UI Checkboxradio 8.x-1.4. [3]
Reported By:
* Benji Fisher [4], provisional member of the Drupal Security Team
Fixed By:
* Benji Fisher [5], provisional member of the Drupal Security Team
* xjm [6] of the Drupal Security Team
* Lauri Eskola [7], provisional member of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
Coordinated By:
* xjm [9] of the Drupal Security Team
[1] https://www.drupal.org/project/jquery_ui_checkboxradio
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jquery_ui_checkboxradio/releases/8.x-1.4
[4] https://www.drupal.org/user/683300
[5] https://www.drupal.org/user/683300
[6] https://www.drupal.org/user/65776
[7] https://www.drupal.org/user/1078742
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/user/65776
More information about the Security-news
mailing list