CVE-2021-41182: XSS in the `altField` option of the Datepicker widget

Published Oct 25, 2021
·
Updated

Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: js $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function.

Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds A workaround is to not accept the value of the altField option from untrusted sources.

For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Other sources

jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the altField parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

IBM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Affected Software

84 affected componentsFixes available
rubygems/jquery-ui-rails<7.0.0
7.0.0
maven/org.webjars.npm:jquery-ui<1.13.0
1.13.0
nuget/jQuery.UI.Combined<1.13.0
1.13.0
npm/jquery-ui<1.13.0
1.13.0
debian/jqueryui
1.12.1+dfsg-8+deb11u21.13.2+dfsg-1
debian/otrs2<=6.0.32-6
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
jqueryui Jquery Ui Jquery<1.13.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
NetApp H500s Firmware
NetApp H500s
NetApp H700s Firmware
NetApp H700s
NetApp H300e Firmware
NetApp H300e
NetApp H500e Firmware
NetApp H500e
NetApp H700e Firmware
NetApp H700e
NetApp H410s Firmware
NetApp H410s
NetApp H410c Firmware
NetApp H410c
NetApp H300s Firmware
NetApp H300s
Debian Debian Linux=9.0
Drupal Drupal>=7.0<7.86
Oracle Communications Interactive Session Recorder=6.4
Oracle Communications Operations Monitor=4.3
Oracle Communications Operations Monitor=4.4
Oracle Communications Operations Monitor=5.0
Oracle Hospitality Suite8>=8.11.0<=8.14.0
Oracle Hospitality Suite8=8.10.2
Oracle MySQL Enterprise Monitor<=8.0.29
Oracle Primavera Unifier=17.7
Oracle Primavera Unifier=17.8
Oracle Primavera Unifier=17.9
Oracle Primavera Unifier=17.10
Oracle Primavera Unifier=17.11
Oracle Primavera Unifier=17.12
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Tenable Tenable.Sc<5.21.0
Oracle Agile PLM=9.3.6
Oracle Application Express<22.1.1
Oracle Banking Platform=2.9.0
Oracle Banking Platform=2.12.0
Oracle Big Data Spatial And Graph<23.1
Oracle Big Data Spatial And Graph=23.1
Oracle Hospitality Inventory Management=9.1.0
Oracle Hospitality Materials Control=18.1
Oracle JD Edwards EnterpriseOne Tools<=9.2.6.3
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle Policy Automation>=12.2.0<=12.2.25
Oracle Primavera Unifier>=17.7<=17.12
Oracle REST Data Services<22.1.1
Oracle REST Data Services=22.1.1
All of the following
NetApp H500s Firmware
NetApp H500s
All of the following
NetApp H700s Firmware
NetApp H700s
All of the following
NetApp H300e Firmware
NetApp H300e
All of the following
NetApp H500e Firmware
NetApp H500e
All of the following
NetApp H700e Firmware
NetApp H700e
All of the following
NetApp H410s Firmware
NetApp H410s
All of the following
NetApp H410c Firmware
NetApp H410c
All of the following
NetApp H300s Firmware
NetApp H300s

Remediation

Patch Available

https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Event History

Oct 25, 2021
CVE Published
12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 26, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Advisory Published
02:55 PM
Data Sourced
via NVD·03:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 1, 2021
Data Sourced
via Red Hat·05:18 PM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:00 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:35 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2021-41182?

CVE-2021-41182 is classified as a high-severity vulnerability due to its potential to execute untrusted code from untrusted sources.

2

How do I fix CVE-2021-41182?

To fix CVE-2021-41182, update your jQuery UI libraries to versions 1.13.0 or higher, or jQuery UI Rails to version 7.0.0 or higher.

3

What types of software are affected by CVE-2021-41182?

CVE-2021-41182 affects multiple packages including jQuery UI from various sources such as RubyGems, Maven, and npm, specifically versions below 1.13.0.

4

What is the exploit vector for CVE-2021-41182?

The exploit vector for CVE-2021-41182 involves setting the `altField` option of the Datepicker widget to untrusted values, potentially leading to code execution.

5

Are there any patches available for CVE-2021-41182?

Yes, patches are available for CVE-2021-41182 in the updated versions of jQuery UI and related packages.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203