Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
0

CVE-2022-31160

Disclosure Date: July 20, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • debian,
  • drupal,
  • fedoraproject,
  • jqueryui,
  • netapp

Products

  • debian linux 10.0,
  • fedora 35,
  • fedora 36,
  • fedora 37,
  • h300s firmware -,
  • h410c firmware -,
  • h410s firmware -,
  • h500s firmware -,
  • h700s firmware -,
  • jquery ui,
  • jquery ui checkboxradio 8.x-1.0,
  • jquery ui checkboxradio 8.x-1.1,
  • jquery ui checkboxradio 8.x-1.2,
  • jquery ui checkboxradio 8.x-1.3,
  • oncommand insight -
Technical Analysis