CVE-2021-41182 @ Npm-jquery-ui-1.10.4

**Vulnerable Package** issue exists @ **Npm\-jquery\-ui\-1.10.4** in branch **main**

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0-alpha.1, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0-alpha.1. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.

**Namespace:** CxDemoInABoxRepos
**Repository:** Java-Webgoat
**Repository Url:** https://github.com/CxDemoInABoxRepos/Java-Webgoat
**CxAST\-Project:** CxDemoInABoxRepos/Java-Webgoat
**CxAST platform scan:** [15076145\-61a1\-4d21\-a896\-a138ffd875d6](https://deu.ast.checkmarx.net/projects/26b3e443-162d-4768-a7fd-3d09781bac58/scans?id=15076145-61a1-4d21-a896-a138ffd875d6&branch=main)
**Branch:** main
**Application:** Java-Webgoat
**Severity:** MEDIUM
**State:** TO_VERIFY
**Status:** RECURRENT
**CWE:** CWE-79


----
**Additional Info**
**Attack vector:** NETWORK
**Attack complexity:** LOW
**Confidentiality impact:** LOW
**Availability impact:** NONE
**Remediation Upgrade Recommendation:** 1.13.0


----
**References**
[Advisory](https://github.com/advisories/GHSA-9gj3-hwp5-pmwc)
[Release Note](https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/)
[Pull request](https://github.com/jquery/jquery-ui/pull/1954)
[Commit](https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2021-41182 @ Npm-jquery-ui-1.10.4 #802

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2021-41182 @ Npm-jquery-ui-1.10.4 #802

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions