CVE-2021-41183: XSS in `*Text` options of the Datepicker widget

Published Oct 25, 2021
·
Updated

Impact Accepting the value of various Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: js $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all Text options.

Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various Text options are now always treated as pure text, not HTML.

Workarounds A workaround is to not accept the value of the Text options from untrusted sources.

For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Other sources

jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Datepicker widget. A remote attacker could exploit this vulnerability using the Text parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

IBM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the Text options from untrusted sources.

Affected Software

79 affected componentsFixes available
rubygems/jquery-ui-rails<7.0.0
7.0.0
nuget/jQuery.UI.Combined<1.13.0
1.13.0
maven/org.webjars.npm:jquery-ui<1.13.0
1.13.0
npm/jquery-ui<1.13.0
1.13.0
debian/jqueryui
1.12.1+dfsg-8+deb11u21.13.2+dfsg-1
debian/otrs2<=6.0.32-6
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
jqueryui Jquery Ui Jquery<1.13.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
All of the following
NetApp H300s Firmware
NetApp H300s
All of the following
NetApp H500s Firmware
NetApp H500s
All of the following
NetApp H700s Firmware
NetApp H700s
All of the following
NetApp H300e Firmware
NetApp H300e
All of the following
NetApp H500e Firmware
NetApp H500e
All of the following
NetApp H700e Firmware
NetApp H700e
All of the following
NetApp H410s Firmware
NetApp H410s
All of the following
NetApp H410c Firmware
NetApp H410c
Debian Debian Linux=9.0
Drupal Drupal>=7.0<7.86
Drupal Drupal>=9.2.0<9.2.11
Drupal Drupal>=9.3.0<9.3.3
Oracle Agile PLM=9.3.6
Oracle Application Express<22.1.1
Oracle Banking Platform=2.9.0
Oracle Banking Platform=2.12.0
Oracle Big Data Spatial And Graph<23.1
Oracle Big Data Spatial And Graph=23.1
Oracle Communications Interactive Session Recorder=6.4
Oracle Communications Operations Monitor=4.3
Oracle Communications Operations Monitor=4.4
Oracle Communications Operations Monitor=5.0
Oracle Hospitality Inventory Management=9.1.0
Oracle Hospitality Suite8>=8.11.0<=11.14.0
Oracle Hospitality Suite8=8.10.2
Oracle JD Edwards EnterpriseOne Tools<=9.2.6.3
Oracle MySQL Enterprise Monitor<=8.0.29
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle Policy Automation>=12.2.0<=12.2.5
Oracle Primavera Gateway>=17.7<=17.12
Oracle Primavera Gateway=18.8.0
Oracle Primavera Gateway=19.12.0
Oracle Primavera Gateway=20.12.0
Oracle Primavera Gateway=21.12.0
Oracle REST Data Services<22.1.1
Oracle REST Data Services=22.1.1
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
Tenable Tenable.Sc<5.21.0
NetApp H300s Firmware
NetApp H300s
NetApp H500s Firmware
NetApp H500s
NetApp H700s Firmware
NetApp H700s
NetApp H300e Firmware
NetApp H300e
NetApp H500e Firmware
NetApp H500e
NetApp H700e Firmware
NetApp H700e
NetApp H410s Firmware
NetApp H410s
NetApp H410c Firmware
NetApp H410c

Remediation

Patch Available

https://github.com/jquery/jquery-ui/pull/1953

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.tenable.com/security/tns-2022-09

Event History

Oct 25, 2021
CVE Published
12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 26, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Advisory Published
02:55 PM
Data Sourced
via NVD·03:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 1, 2021
Data Sourced
via Red Hat·05:21 PM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:00 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:35 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2021-41183?

CVE-2021-41183 is categorized as a high severity vulnerability due to its potential to execute untrusted code.

2

How do I fix CVE-2021-41183?

To fix CVE-2021-41183, ensure you update to the patched versions of the affected packages such as jquery-ui-rails 7.0.0 or jQuery.UI.Combined 1.13.0.

3

Which applications are affected by CVE-2021-41183?

Applications using vulnerable versions of the Datepicker widget in jQuery UI are affected by CVE-2021-41183.

4

What are the consequences of CVE-2021-41183 if exploited?

If exploited, CVE-2021-41183 could allow an attacker to run arbitrary code within the context of the web application.

5

What versions of jQuery UI are vulnerable to CVE-2021-41183?

Versions of jQuery UI prior to 1.13.0 are vulnerable to CVE-2021-41183.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203