jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Project:

jQuery UI Datepicker

Date:

2022-January-19

Security risk:

Moderately critical 14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default

Vulnerability:

Cross Site Scripting

Affected versions:

<1.2.0

Description:

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core.

jQuery UI was previously thought to be end-of-life.

Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issues that may affect site using the jQuery UI Datepicker module:

CVE-2021-41182: XSS in the altField option of the Datepicker widget
CVE-2021-41183: XSS in *Text options of the Datepicker widget

Solution:

Install the latest version:

If you use the jQuery UI Datepicker module for Drupal 9.x, upgrade to jQuery UI Datepicker 8.x-1.2

Reported By:

Lauri Eskola

Fixed By:

Andrei Ivnitskii
Ben Mullins
Lauri Eskola

Contribution record

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community