CVE-2021-41184: XSS in the `of` option of the `.position()` util

Published Oct 25, 2021
·
Updated

Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: js $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function.

Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds A workaround is to not accept the value of the of option from untrusted sources.

For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Other sources

jQuery jQuery-UI is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the .position() function. A remote attacker could exploit this vulnerability using the of parameter to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

IBM

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Affected Software

78 affected componentsFixes available
rubygems/jquery-ui-rails<7.0.0
7.0.0
nuget/jQuery.UI.Combined<1.13.0
1.13.0
maven/org.webjars.npm:jquery-ui<1.13.0
1.13.0
npm/jquery-ui<1.13.0
1.13.0
debian/jqueryui
1.12.1+dfsg-8+deb11u21.13.2+dfsg-1
debian/otrs2<=6.0.32-6
IBM QRadar SIEM<=7.5.0 GA
IBM QRadar SIEM<=7.4.3 GA - 7.4.3 FP4
IBM QRadar SIEM<=7.3.3 GA - 7.3.3 FP10
jqueryui Jquery Ui Jquery<1.13.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
All of the following
NetApp H300s Firmware
NetApp H300s
All of the following
NetApp H500s Firmware
NetApp H500s
All of the following
NetApp H700s Firmware
NetApp H700s
All of the following
NetApp H300e Firmware
NetApp H300e
All of the following
NetApp H500e Firmware
NetApp H500e
All of the following
NetApp H700e Firmware
NetApp H700e
All of the following
NetApp H410s Firmware
NetApp H410s
All of the following
NetApp H410c Firmware
NetApp H410c
Drupal Drupal>=7.0<7.86
Drupal Drupal>=9.2.0<9.2.11
Drupal Drupal>=9.3.0<9.3.3
Tenable Tenable.Sc<5.21.0
Oracle Agile PLM=9.3.6
Oracle Application Express<22.1.1
Oracle Banking Platform=2.9.0
Oracle Banking Platform=2.12.0
Oracle Big Data Spatial And Graph<23.1
Oracle Big Data Spatial And Graph=23.1
Oracle Communications Interactive Session Recorder=6.4
Oracle Communications Operations Monitor=4.3
Oracle Communications Operations Monitor=4.4
Oracle Communications Operations Monitor=5.0
Oracle Hospitality Inventory Management=9.1.0
Oracle Hospitality Materials Control=18.1
Oracle Hospitality Suite8>=8.11.0<=8.14.0
Oracle Hospitality Suite8=8.10.2
Oracle JD Edwards EnterpriseOne Tools<=9.2.6.3
Oracle PeopleSoft Enterprise PeopleTools=8.58
Oracle PeopleSoft Enterprise PeopleTools=8.59
Oracle Policy Automation>=12.2.0<=12.2.25
Oracle Primavera Unifier>=17.7<=17.12
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle REST Data Services<22.1.1
Oracle REST Data Services=22.1.1
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
NetApp H300s Firmware
NetApp H300s
NetApp H500s Firmware
NetApp H500s
NetApp H700s Firmware
NetApp H700s
NetApp H300e Firmware
NetApp H300e
NetApp H500e Firmware
NetApp H500e
NetApp H700e Firmware
NetApp H700e
NetApp H410s Firmware
NetApp H410s
NetApp H410c Firmware
NetApp H410c

Remediation

Patch Available

https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280

Patch Available

https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.tenable.com/security/tns-2022-09

Event History

Oct 25, 2021
CVE Published
12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 26, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Advisory Published
02:55 PM
Data Sourced
via NVD·03:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 1, 2021
Data Sourced
via Red Hat·05:24 PM
DescriptionSeverityAffected Software
Jan 12, 2024
Data Sourced
via Launchpad·12:00 AM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:35 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2021-41184?

CVE-2021-41184 is classified as a medium severity vulnerability due to potential code execution from untrusted sources.

2

How do I fix CVE-2021-41184?

To remediate CVE-2021-41184, update jquery-ui to version 1.13.0 or later.

3

What systems are affected by CVE-2021-41184?

CVE-2021-41184 affects various versions of jquery-ui used in applications like jQuery UI Combined and jQuery UI Rails.

4

What is the impact of CVE-2021-41184?

The vulnerability allows the execution of untrusted code due to the acceptance of malicious input in the '.position()' method.

5

Can CVE-2021-41184 lead to security breaches?

Yes, CVE-2021-41184 can potentially lead to security breaches if exploited effectively by an attacker.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203